Not so long ago the Netcraft, a company that scans the network, has released its “rebuke” for system administrators because they ignore HTTP Public Key Pinning (HPKP). Pinning enables you to protect users from attack, when the attacker deceives the certification center with the purpose of issuing a fake certificate for the site.
If an attacker can issue a certificate for the site, it can forge and the site itself, which opens the way to various abuses, such as the collection of valuable information. HPKP eliminates this problem. However, Netcraft says that it works only if administrators use HPKP on the server, but they, unfortunately, do not.
Less than 0.1% of all certificates examined by the Netcraft, had HPKP header. But where there was HPKP, he was often incorrectly configured. With so many errors opened the mass of loopholes for hackers to access.
Only the 3000 certificates, according to a study the Netcraft, used HPKP. Header had from 4100 sites, but a quarter of them had an error with him.
Why should you use HPKP? It helps to reduce the risk for the user. But it also exposes some problems for businesses. System administrators must specify the lifetime for HPKP. If the site operator will lose the keys, the site will not be available for the entire period specified for HPKP.