In November 2011, security engineers from Google proposed an called "public key pinning" that would allow websites to effectively tell browsers via an HTTP header which certificate authorities should be trusted to issue SSL certificates for their domain names.

The browsers would then remember (pin) this information and refuse to establish the connection if they receive a certificate signed by a different CA in the future. A more static implementation of this system already exists in Google Chrome for particular domain names, including Google's.

TACK is based on the same public key pinning concept, but instead of pinning CA public keys to particular domain names, it pins public keys generated by the domain owners themselves.

With TACK, the domain owner can generate a pair of private and public keys called TACK keys. The private key is used to sign the server's TLS public key, which is currently used by browsers to validate SSL certificates. The TACK public key is then shared with connecting browsers and is used to validate the TACK-signed TLS public key.

The browsers can pin a TACK public key to a domain name if they receive it from the server on several separate occasions. If an attacker attempts to use a rogue SSL certificate to spoof a secure connection to a domain name that already has a TACK key pinned to it, the browser will not authorize it because the TACK validation will fail.