In the effort to mitigate man-in-the-middle (MITM) attacks,
which uses fraudulent SSL certificates, the Public Key Pinning Extension for
HTTP (HPKP) has been designed, in order to create a more reliable method of
approving a Web server's digital certificate. HPKP permits a site administrator
to put up a certificate authority's (CA) public key or certificate to their
server's certificate and send the data in an HTTP header. This enables browsers
and other apps to see that a server's certificate is approved and signed by a
specific whitelisted CS, rather than depending on a chain verification
certificate to validate it. The certificate verification stage of the
connection is used to carry out the check, prior to any data being sent by the
browser.
Google Chrome has been supporting Public Key Pinning for
some time now and it has helped in detecting fraudulent SSL certificate issued
by DigiNotar, employed in a MITM attack against Google users in Iran and as
intermediate CA certificates wrongly issued by TurkTrust. These lapses in the
CA infrastructure are sabotaging the confidence in the CA hierarchy of trust.
This is the main reason why important browsers are embracing certificate
pinning. Besides, public key pinning is supported by Firefox and Google Chrome,
Microsoft is also considering it for inclusion in Internet Explorer and a new
Web browser, Spartan.
Header set Public-Key-Pins
"pin-sha256=\"base64+info1==\";
pin-sha256=\"backup+pin+here==\"; max-age=15768000;
includeSubDomains" (Note: This requires enabling of apache mod_headers)
Including a pin for a backup certificate, which is not being
used in production, is also a good practice. This assures that the site is
accessible, even after the main certificate gets removed.