Changes to Chromium’s public key pinning implementation

[Emily Stark]

We recently made some changes to Chromium’s public key pinning implementation that we’d like to describe here for any embedders who are using the affected code. Note that dynamic public key pinning (aka HPKP) is no longer supported, and the public key pinning implementation only pins a small set of preloaded pinned domains. Also note that pinning is intentionally disabled by default outside of Chrome-branded builds, but we’re aware that some embedders may be enabling the code to enforce their own set of pins.

Changes to freshness calculation for built-in pinning list

The pinning list contained in the source code is intended to expire 10 weeks after build, in a fail-open way, so that clients broken by bad pins are not broken forever. This 10 week freshness window used to be calculated based on a build timestamp, but this was problematic in the event of binaries compiled from old source code, which would enforce an old pinning list for 10 weeks.

The freshness window is now based on a timestamp in the source tree. In the Chromium repository, this timestamp is automatically updated everyday. Any embedders using this code may want to ensure that their timestamp in source is automatically updated too; otherwise the pinning list may expire sooner than intended.

Pinning list updated via component updater

In Chrome, the pinning list is now updateable via component updater, to be able to distribute changes to the built-in pinning list more quickly and reliably (especially in the case of unexpected breakage). Any embedders who are enforcing pinning using their own pinning list and pulling in component updates should be sure to not unintentionally enforce the pins distributed in this component. The pinning list delivered via component updater includes its own timestamp that overrides the aforementioned source tree timestamp once the component update is installed.

Reminder about the Chromium pinning list

The list of public key pins in the Chromium repository is intended to be used in Chrome. Embedders wishing to use this list should confirm with all pinned domain owners (including Google) that they wish for their domains to be pinned in non-Chrome clients before enforcing these pins.