TL;DR
While HPKP (HTTP Public Key Pinning) wasn’t *designed* for user tracking, it could be misused in combination with other techniques. It’s now largely obsolete due to browser support removal and the availability of better security measures like Certificate Transparency. The risk is low but understanding how it works helps you assess potential privacy implications.
What is HPKP?
HPKP allowed website owners to tell browsers which certificates (digital IDs) they trusted for their site. This helped prevent man-in-the-middle attacks where a fake certificate could be used to intercept traffic. It worked by sending an HTTP header that listed specific public keys or the expected Certificate Authority.
Can HPKP Be Used to Track Users?
Directly, no. HPKP doesn’t contain user identifiers. However, it can contribute to a technique called browser fingerprinting when combined with other data points.
How Tracking Could Work (and Why It’s Difficult)
- Pin List as Part of Fingerprint: The specific public keys pinned by a website could be included in a user’s browser fingerprint. This is because not everyone configures HPKP the same way, even on the same browser version.
- Certificate Authority (CA) Tracking: If a site only pins certificates from a single CA, that CA becomes part of the fingerprint.
- Subdomain Variations: Different subdomains of the same website might use different HPKP configurations. This could create more unique fingerprints.
However, tracking using HPKP alone is unreliable for several reasons:
- Browser Support: Major browsers have removed support for HPKP due to its complexity and security issues (like accidental self-locking). This means fewer users are even sending the HPKP header.
- Dynamic Pins: If a website changes its pins, it breaks existing fingerprints.
- User Control: Users could theoretically clear their browser data or use privacy extensions that interfere with fingerprinting.
Example of an HPKP Header (Now Obsolete)
Public-Key-Pins: pin-sha256="M8wEJQLSCmzJEYIs+PTt9UJC4Qvj1oqrK/lR3WkY5pI="; max-age=31536000; includeSubDomainsThis header tells the browser to only trust certificates with the specified SHA256 hash. max-age specifies how long the pin is valid (in seconds). includeSubDomains applies the pin to all subdomains.
Why HPKP Is No Longer Recommended
- Complexity: Setting up and maintaining HPKP correctly was difficult.
- Self-Locking Risk: If a website made a mistake in its pins, it could lock users out of the site if their browser didn’t support updating the pin list.
- Better Alternatives: Certificate Transparency (CT) provides a more robust and reliable way to verify certificate validity without the risks of HPKP.
Protecting Your Privacy
- Use a privacy-focused browser: Browsers like Brave or Firefox with enhanced tracking protection can help mitigate fingerprinting attempts.
- Install privacy extensions: Extensions like Privacy Badger or uBlock Origin block trackers and reduce your digital footprint.
- Regularly clear your browser data: Clearing cookies, cache, and other browsing data can limit the information available for tracking.