A vast amount of information becomes readily accessible online today. It is therefore, essential to have adequate safeguard mechanisms in place to protect such vital resource. As such, browsers like Google Chrome, Mozilla Firefox that provide key to this resource, support features like Public-key pinning. Not wanting to trail, Microsoft has decided to join the league.
Microsoft is considering adding public-key pinning to Internet Explorer. Public-key pinning is a prolongation to HTTP, a feature designed to help protect users against the types of MITM attacks that rely on forged certificates. Attackers use forged or stolen certificates to trick victims’ browsers into trusting a malicious site that the attacker controls.
Public-key pinning helps prevent those attacks by binding a set of public keys issued by a trusted certificate authority to a specific domain. With such defense in place, if the user visits the site and is presented with a key that’s not part of the pinned set, the browser rejects the secure connection.
Deploying PKP safely require operational and organizational maturity due to the risk that hosts may make themselves unavailable by pinning to a (set of) SPKI(s) that becomes invalid. With care, host operators can greatly reduce the risk of main-in-the-middle (MITM) attacks and other false-authentication problems for their users without incurring undue risk.
When an individual visits a site that is pinned, the lock icon appears. However, if the individual visits a site that has a root certificate that has been pinned and the certificate for that site does not match the pinned CA’s Root Certificate, the browser just refuses to allow the connection.
In this way, Public-key pinning manages to forestall attacks by contracting a set of open keys released by a devoted certificate management to a specific domain.