Our Penetration testing Team is suggesting to configure Public Key Pinning Extension for HTTP at IIS level.
Wikipedia says it’s a deprecated security mechanism. And most of the blogs and articles not recommending pinning because it involves a huge risk.
- https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
- https://www.digicert.com/blog/certificate-pinning-what-is-certificate-pinning
- https://threatpost.com/google-to-ditch-public-key-pinning-in-chrome/128679/
Is it any good to have PKP on a Web site?
Please Advice.
What I can make sure is that compared to websites that don’t use any certificates or encrypted connections, public key pinning can make connection safer. When Google first introduced PKP, it was used to add a layer of security for web clients.
But after so long of technological changes, more safer technologies appear, which make PKP looks not perfect.
By terminating the connection PKP can help protect end users from man-in-the-middle (MITM) attacks. One way a MITM attack can happen is when an attacker uses a fraudulent certificate to create a spoofed site in order to harvest user’s personal information.
Now it seems that PKP is not safe, few websites use it, and even many browsers are giving up support for it. I think your Penetration testing Team know this, but why they insist on using it, you need to ask them. They may have some specail reason for using PKP.