[tor-bugs] #25146 [Internal Services/Tor Sysadmin Team]: Enable HPKP for aus1
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Oct 12 18:38:55 UTC 2018
#25146: Enable HPKP for aus1
-------------------------------------------------+---------------------
Reporter: gk | Owner: tpa
Type: task | Status: new
Priority: Medium | Milestone:
Component: Internal Services/Tor Sysadmin Team | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+---------------------
Comment (by micah):
Google announced it is deprecating HPKP:
https://groups.google.com/a/chromium.org/forum/#!msg/blink-
dev/he9tr7p3rZ8/eNMwKPmUBAAJ
I believe in general HPKP is going away because it is extremely risky. A
trivial mistake will brick your site, but google says its too hard to
build a pin-set that’s guaranteed to work and the risk of hostile pinning.
Hostile pinning hasn’t been observed yet, but it’s an attack that allows
someone to take your site hostage should they somehow be able to obtain a
valid certificate for your domain.
Adoption rate of HPKP has been very low, and because of that browser
vendors are looking to replace it. Right now the alternatives are Expect-
CT and CAA. I don't think it makes a lot of sense to pursue HPKP right
now.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25146#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list