|
|
|
|
|
|
by jusob
3420 days ago
|
|
|
It is part of the RFC: if a certificate is signed by a root certificate that is trusted in your private store (meaning it was added later on), HPKP is ignored. Unfortunately, this is required in the enterprise world where corporate MiTM is often done (Palo Alto Network SSL proxy, Websense/Forcepoint, Zscaler, Blue Coat, etc.) for content inspection. |
|
|
This still should not be the default, rather corps should have an easy about:config switch they can flip. The default should protect private users.