kevinhakanson.com

Out with HPKP, in with CAA?

August 30, 2017 #http #security

I hadn’t looked at HTTP Public Key Pinning (HPKP) in detail at until Pokemon Go vs. Certificate Pinning, and later realized how bad things could get with HPKP and RansomPKP.  Now, as I read I’m giving up on HPKP from Scott Helme (@Scott_Helme) I think I agree with this statement:

The problem with HPKP is that it can be quite a complex idea to get your head around and requires a perfect deployment otherwise things can go wrong.

So, what instead?  Maybe use Certificate Authority Authorization (CAA), which is a DNS record that lists the Certificate Authorities (CAs) which are permitted to issue certificates for your domain.  Luckily for our AWS based projects, Amazon Route 53 now supports CAA records.


Kevin Hakanson

Multi-Cloud Certified Architect | DevSecOps | AppSec | Web Platform | Speaker | Learner | Builder
Twitter | LinkedIn | GitHub | Stack Overflow | Credly

© 2021 Kevin Hakanson (built with Gatsby)