New #Firefox version 72 loses HPKP support.
But there is nothing mentioning it in official release notes. Everyone seems to be talking about much needed PiP video functions. However there is announcement on Firefox Site Compatibility and the function is indeed disabled after upgrade.
Non-techy explanation: Most sites use encryption (that padlock in the address bar). Encryption not only protects your data from eavesdroppers but also ensures you are indeed connected to the site you see in the address bar and not some counterfeit copy run by hackers. However there are ways to fool this identity verification if hackers have access to certificate authorities. This can be done by legal means (governments), administrative (your employeer might do this on their network) or illegally (leaks, hacks, CA bugs, etc) - but it is not uncommon. HPKP allows website owners to configure their websites in a way that these hijacking attempts fail. Only small percentage of websites uses HPKP but it does work and I see nothing wrong with it being enabled as option for more security-oriented resources.
Is this change disastrous and will we all die? No. Does it weaken security and makes us more vulnerable? Yes, it does,
Note that Firefox was the last to drop this functionality (Chrome did it almost one year ago) but the entire trend is sad. This feature was optional and transparent for users. If it worked it made you more secure with no extra effort. If it didn't there was zero overhead. With two major browses disabling it it is safe to say it is gone.
Personally my opinion is that this was done to improve compatibility with various traffic inspection systems. Basically it opens venues for big players to get into our traffic. But we trust these guys, right?
...
Thanks to @Max Kostikov for heads up.
There are no comments yet.