This is a common theme in this thread but I'll re-state it here:
Web browsers cannot reliably distinguish between a configuration mistake and an attack.
For this reason, I think hard HPKP fails are a good thing. For those who opt-in to HPKP, this is a risk one takes in exchange for greater control over certificate validation.
Web browsers cannot reliably distinguish between a configuration mistake and an attack.
For this reason, I think hard HPKP fails are a good thing. For those who opt-in to HPKP, this is a risk one takes in exchange for greater control over certificate validation.