I like this. It’s a good idea in theory but the practical deployment of it is surprisingly difficult (tooling is missing) and any mistakes means your website is blocked by the browser’s interstitial with no way around. This concept needed more time to bake, perhaps some tools/patches/plugins written first.
It’s also an attack vector. If a site is compromised an attacker can pin their own cert.
For my personal sites, I tried to do all of the standard security precautions, turn on everything that every security advice site recommended, etc. The only thing I didn’t go ahead with was the key pinning. From everything I’ve read, it’s just too easy to shoot yourself in the foot with it. It seems like lots of people either weren’t aware of the feature at all, or came to the same conclusion.
How does this affect the usefulness of HSTS? From my limited knowledge of HPKP, it tries to ensure that a fake cert can’t be used. But if HSTS only helps us force clients to use https, doesn’t that make it less effective?
PSA that Firefofx 57 is pretty fantastic on both desktop and mobile. Definitely recommend giving it a spin.