[arkadiyt]

Fun fact: the google engineers responsible for this decision were repeatedly accused of being NSA plants as a result: https://twitter.com/sleevi_/status/668911789841608706

Chris Palmer also wrote a really great blog post about this: https://noncombatant.org/2015/11/24/what-is-hpkp-for/

[hlandau]

That blog post insinuates that 'strict' HPKP wouldn't work, yet despite this Google Chrome actually enforces strict HPKP... but only for some Google Domains. It's rather a double standard. I wrote about this: https://www.devever.net/~hl/policymitm