{
	"id": "a119338b-f543-44f3-baba-fc8b3f7883ac",
	"created_at": "2026-04-06T00:12:55.503378Z",
	"updated_at": "2026-04-10T03:36:48.010617Z",
	"deleted_at": null,
	"sha1_hash": "2b10d88a1cd9ef49ffa32d102e6822b672da794f",
	"title": "HTTP Public Key Pinning",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 118559,
	"plain_text": "HTTP Public Key Pinning\r\nBy Contributors to Wikimedia projects\r\nPublished: 2015-03-08 · Archived: 2026-04-05 14:29:13 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nHTTP Public Key Pinning (HPKP) is an obsolete Internet security mechanism delivered via an HTTP header\r\nwhich allows HTTPS websites to resist impersonation by attackers using misissued or otherwise fraudulent digital\r\ncertificates.\r\n[1]\r\n A server uses it to deliver to the client (e.g. a web browser) a set of hashes of public keys that must\r\nappear in the certificate chain of future connections to the same domain name.\r\nFor example, attackers might compromise a certificate authority, and then mis-issue certificates for a web origin.\r\nTo combat this risk, the HTTPS web server serves a list of “pinned” public key hashes valid for a given time; on\r\nsubsequent connections, during that validity time, clients expect the server to use one or more of those public keys\r\nin its certificate chain. If it does not, an error message is shown, which cannot be (easily) bypassed by the user.\r\nThe technique does not pin certificates, but public key hashes. This means that one can use the key pair to get a\r\ncertificate from any certificate authority, when one has access to the private key. Also the user can pin public keys\r\nof root or intermediate certificates (created by certificate authorities), restricting site to certificates issued by the\r\nsaid certificate authority.\r\nDue to HPKP mechanism complexity and possibility of accidental misuse (potentially causing a lockout condition\r\nby system administrators), in 2017 browsers deprecated HPKP and in 2018 removed its support in favor of\r\nCertificate Transparency.\r\n[2][3]\r\nThe server communicates the HPKP policy to the user agent via an HTTP response header field named Public-Key-Pins (or Public-Key-Pins-Report-Only for reporting-only purposes).\r\nThe HPKP policy specifies hashes of the subject public key info of one of the certificates in the website's\r\nauthentic X.509 public key certificate chain (and at least one backup key) in pin-sha256 directives, and a period\r\nof time during which the user agent shall enforce public key pinning in max-age directive, optional\r\nincludeSubDomains directive to include all subdomains (of the domain that sent the header) in pinning policy\r\nand optional report-uri directive with URL where to send pinning violation reports. At least one of the public\r\nkeys of the certificates in the certificate chain needs to match a pinned public key in order for the chain to be\r\nconsidered valid by the user agent.\r\nAt the time of publishing, RFC 7469 only allowed the SHA-256 hash algorithm. (Appendix A. of RFC 7469\r\nmentions some tools and required arguments that can be used to produce hashes for HPKP policies.)\r\nA website operator can choose to either pin the root certificate public key of a particular root certificate authority,\r\nallowing only that certificate authority (and all intermediate authorities signed by its key) to issue valid certificates\r\nhttps://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning\r\nPage 1 of 4\n\nfor the website's domain, and/or to pin the key(s) of one or more intermediate issuing certificates, or to pin the\r\nend-entity public key.\r\nAt least one backup key must be pinned, in case the current pinned key needs to be replaced. The HPKP is not\r\nvalid without this backup key (a backup key is defined as a public key not present in the current certificate chain).\r\n[4]\r\nHPKP is standardized in RFC 7469.[1] It expands on static certificate pinning, which hardcodes public key hashes\r\nof well-known websites or services within web browsers and applications.[5]\r\nMost browsers disable pinning for certificate chains with private root certificates to enable various corporate\r\ncontent inspection scanners[6] and web debugging tools (such as mitmproxy or Fiddler). The RFC 7469 standard\r\nrecommends disabling pinning violation reports for \"user-defined\" root certificates, where it is \"acceptable\" for\r\nthe browser to disable pin validation.[7]\r\nIf the user agent performs pin validation and fails to find a valid SPKI fingerprint in the served certificate chain, it\r\nwill POST a JSON formatted violation report to the host specified in the report-uri directive containing details of\r\nthe violation. This URI may be served via HTTP or HTTPS; however, the user agent cannot send HPKP violation\r\nreports to an HTTPS URI in the same domain as the domain for which it is reporting the violation. Hosts may\r\neither use HTTP for the report-uri , use an alternative domain, or use a reporting service.[8]\r\nSome browsers also support the Public-Key-Pins-Report-Only , which only triggers this reporting while not\r\nshowing an error to the user.\r\nCriticism and decline\r\n[edit]\r\nDuring its peak adoption, HPKP was reported to be used by 3,500 of top 1 million internet sites, a figure that\r\ndeclined to 650 around the end of 2019.[9]\r\nCriticism and concern revolved around malicious or human error scenarios known as HPKP Suicide and\r\nRansomPKP.\r\n[10][11]\r\n In such scenarios, a website owner would have their ability to publish new contents to their\r\ndomain severely hampered by either losing access to their own keys or having new keys announced by a\r\nmalicious attacker.\r\nBrowser support and deprecation\r\n[edit]\r\nBrowser support for HTTP Public Key Pinning\r\nBrowser Version added Version deprecated Version removed Notes\r\nGoogle Chrome 46[12] 67[13] 72[14][15]\r\nhttps://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning\r\nPage 2 of 4\n\nOpera 33[16] 54[17] 60\r\nFirefox 35 72[18][19] 78[20]\r\nInternet Explorer N/a[21] N/a N/a\r\nMicrosoft Edge N/a[21] N/a N/a\r\nSafari N/a N/a N/a\r\nCertificate authority compromise\r\nCertificate Transparency\r\nHTTP Strict Transport Security\r\nList of HTTP header fields\r\nDNS Certification Authority Authorization\r\nPublic Key Pinning Extension for HTTP (HPKP) on MDN Web Docs\r\n1. ^ Jump up to: a\r\n \r\nb\r\n Evans, Chris; Palmer, Chris; Sleevi, Ryan (April 2015). Public Key Pinning Extension for\r\nHTTP. IETF. doi:10.17487/RFC7469. ISSN 2070-1721. RFC 7469.\r\n2. ^ Leyden, John (2017-10-30). \"RIP HPKP: Google abandons public key pinning\". The Register. Retrieved\r\n2018-12-18.\r\n3. ^ Tung, Liam (2017-10-30). \"Google: Chrome is backing away from public key pinning, and here's why\".\r\nZDNet. Retrieved 2018-12-18.\r\n4. ^ \"About Public Key Pinning\". noncombatant.org. Retrieved 2015-05-07.\r\n5. ^ \"Certificate and Public Key Pinning - OWASP\". www.owasp.org. Retrieved 2015-05-07.\r\n6. ^ \"Security FAQ - The Chromium Projects\". www.chromium.org. Retrieved 2015-07-07.\r\n7. ^ Evans, C.; Palmer, C.; Sleevi, R. (2015). \"RFC 7469 - Public Key Pinning Extension for HTTP\".\r\ntools.ietf.org. doi:10.17487/RFC7469. Retrieved 2015-07-07.\r\n8. ^ \"HPKP Violation Reporting\". Scott Helme.\r\n9. ^ \"HPKP is no more\". Scott Helme. 2020-01-20. Retrieved 2020-01-30.\r\n10. ^ \"Abusing Bleeding Edge Web Standards for AppSec Glory\". Bryant Zadegan and Ryan Lester. 2016-08-\r\n03. Retrieved 2026-01-14.\r\n11. ^ \"Using security features to do bad things\". Scott Helme. 2016-08-15. Retrieved 2020-01-30.\r\n12. ^ Stark, Emily (2015-08-31). \"Rolling out public key pinning with HPKP reporting\". Chrome Developers.\r\nArchived from the original on 2023-01-16. Retrieved 2023-03-10.\r\n13. ^ Medley, Joe (2018-06-07). \"Deprecations and removals in Chrome 67\". Google Developers. Archived\r\nfrom the original on 2023-03-10. Retrieved 2023-03-10.\r\n14. ^ Palmer; Estark; Rsleevi (2022-09-13). \"Remove HTTP-Based Public Key Pinning - Chrome Platform\r\nStatus\". www.chromestatus.com. Archived from the original on 2022-05-25. Retrieved 2019-11-18.\r\n15. ^ Medley, Joe (2020-06-27). \"Deprecations and removals in Chrome 72 - Chrome Developers\". Chrome\r\nDevelopers. Archived from the original on 2022-11-18. Retrieved 2023-03-10.\r\n16. ^ Bynens, Mathias (2015-10-27). \"Opera 33 released\". GitHub. Opera. Archived from the original on\r\n2023-03-10. Retrieved 2023-03-10.\r\nhttps://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning\r\nPage 3 of 4\n\n17. ^ \"What's new in Chromium 67 and Opera 54\". GitHub. Opera. 2018-06-28. Archived from the original on\r\n2023-03-10. Retrieved 2023-03-10.\r\n18. ^ \"HTTP Public Key Pinning is no longer supported\". Firefox Site Compatibility. November 14, 2019.\r\nArchived from the original on 2020-05-29. Retrieved 2020-02-19.\r\n19. ^ Keeler, Dana (2019-11-13). \"Mozilla source code change that removed HPKP including discussion and\r\nreasons for this change (bug 1412438)\". Mozilla Firefox Version Control. Archived from the original on\r\n2023-03-10. Retrieved 2023-03-10.\r\n20. ^ \"remove HPKP (http public key pinning) entirely (not built-in pins)\". bugzilla.mozilla.org. “HPKP is\r\ndisabled by default (bug 1412438). Due to socket process work, it has already become a maintenance\r\nburden (see bug 1485652). This bug will remove HPKP entirely.”\r\n21. ^ Jump up to: a\r\n \r\nb\r\n \"The status of Public Key Pinning Extension for HTTP in Microsoft Edge is Under\r\nConsideration\". Microsoft Edge Development. Archived from the original on 2016-12-20. Retrieved 2018-\r\n09-21.\r\nSource: https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning\r\nhttps://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning\r\nPage 4 of 4\n\nBrowser Version Browser support added for HTTP Version deprecated Public Key Pinning Version removed Notes\nGoogle Chrome 46[12] 67[13] 72[14][15]\n  Page 2 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning"
	],
	"report_names": [
		"HTTP_Public_Key_Pinning"
	],
	"threat_actors": [
		{
			"id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12",
			"created_at": "2023-01-06T13:46:39.396409Z",
			"updated_at": "2026-04-10T02:00:03.312816Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"CHROMIUM",
				"ControlX",
				"TAG-22",
				"BRONZE UNIVERSITY",
				"AQUATIC PANDA",
				"RedHotel",
				"Charcoal Typhoon",
				"Red Scylla",
				"Red Dev 10",
				"BountyGlad"
			],
			"source_name": "MISPGALAXY:Earth Lusca",
			"tools": [
				"RouterGod",
				"SprySOCKS",
				"ShadowPad",
				"POISONPLUG",
				"Barlaiy",
				"Spyder",
				"FunnySwitch"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7",
			"created_at": "2025-08-07T02:03:24.688416Z",
			"updated_at": "2026-04-10T02:00:03.734754Z",
			"deleted_at": null,
			"main_name": "BRONZE UNIVERSITY",
			"aliases": [
				"Aquatic Panda",
				"Aquatic Panda ",
				"CHROMIUM",
				"CHROMIUM ",
				"Charcoal Typhoon",
				"Charcoal Typhoon ",
				"Earth Lusca",
				"Earth Lusca ",
				"FISHMONGER ",
				"Red Dev 10",
				"Red Dev 10 ",
				"Red Scylla",
				"Red Scylla ",
				"RedHotel",
				"RedHotel ",
				"Tag-22",
				"Tag-22 "
			],
			"source_name": "Secureworks:BRONZE UNIVERSITY",
			"tools": [
				"Cobalt Strike",
				"Fishmaster",
				"FunnySwitch",
				"Spyder",
				"njRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "6abcc917-035c-4e9b-a53f-eaee636749c3",
			"created_at": "2022-10-25T16:07:23.565337Z",
			"updated_at": "2026-04-10T02:00:04.668393Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Bronze University",
				"Charcoal Typhoon",
				"Chromium",
				"G1006",
				"Red Dev 10",
				"Red Scylla"
			],
			"source_name": "ETDA:Earth Lusca",
			"tools": [
				"Agentemis",
				"AntSword",
				"BIOPASS",
				"BIOPASS RAT",
				"BadPotato",
				"Behinder",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"Doraemon",
				"FRP",
				"Fast Reverse Proxy",
				"FunnySwitch",
				"HUC Port Banner Scanner",
				"KTLVdoor",
				"Mimikatz",
				"NBTscan",
				"POISONPLUG.SHADOW",
				"PipeMon",
				"RbDoor",
				"RibDoor",
				"RouterGod",
				"SAMRID",
				"ShadowPad Winnti",
				"SprySOCKS",
				"WinRAR",
				"Winnti",
				"XShellGhost",
				"cobeacon",
				"fscan",
				"lcx",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d53593c3-2819-4af3-bf16-0c39edc64920",
			"created_at": "2022-10-27T08:27:13.212301Z",
			"updated_at": "2026-04-10T02:00:05.272802Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Earth Lusca",
				"TAG-22",
				"Charcoal Typhoon",
				"CHROMIUM",
				"ControlX"
			],
			"source_name": "MITRE:Earth Lusca",
			"tools": [
				"Mimikatz",
				"PowerSploit",
				"Tasklist",
				"certutil",
				"Cobalt Strike",
				"Winnti for Linux",
				"Nltest",
				"NBTscan",
				"ShadowPad"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434375,
	"ts_updated_at": 1775792208,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2b10d88a1cd9ef49ffa32d102e6822b672da794f.pdf",
		"text": "https://archive.orkl.eu/2b10d88a1cd9ef49ffa32d102e6822b672da794f.txt",
		"img": "https://archive.orkl.eu/2b10d88a1cd9ef49ffa32d102e6822b672da794f.jpg"
	}
}