kevinhakanson.com

Out with HPKP, in with CAA?

August 30, 2017 #http #security

I hadn’t looked at HTTP Public Key Pinning (HPKP) in detail at until Pokemon Go vs. Certificate Pinning, and later realized how bad things could get with HPKP and RansomPKP.  Now, as I read I’m giving up on HPKP from Scott Helme (@Scott_Helme) I think I agree with this statement:

The problem with HPKP is that it can be quite a complex idea to get your head around and requires a perfect deployment otherwise things can go wrong.

So, what instead?  Maybe use Certificate Authority Authorization (CAA), which is a DNS record that lists the Certificate Authorities (CAs) which are permitted to issue certificates for your domain.  Luckily for our AWS based projects, Amazon Route 53 now supports CAA records.