[bckygldstn]

It can also be used maliciously by the attackers too: they could set HPKP to their own certificates with a 5 year expiry time, then sell them to the bank after DNS is reverted. The bank might pay to have all those chrome/firefox users back.

[btown]

Presumably there is a manual process to ask browser maintainers to invalidate fraudulent pins. Hell, list maintainers could charge a processing fee to ensure manual review of each case, and frequent update cycles that don't require browser restarts. The spec makes this possible but not necessary or even outlined, which I think is an oversight.

   UAs MAY choose to implement additional sources of pinning
   information, such as through built-in lists of pinning information.
   Such UAs should allow users to override such additional sources,
   including disabling them from consideration.

   The effective policy for a Known Pinned Host that has both built-in
   Pins and Pins from previously observed PKP header response fields is
   implementation-defined.

https://tools.ietf.org/html/rfc7469#section-2.1

[user5994461]

That is a truly brilliant use of certificate pinning and strict transport policy.