[asterius]

Certificate pinning is going away: http://www.zdnet.com/article/google-chrome-is-backing-away-f...

I think we can be confident that sites that don't even use CSP won't be implementing Expect-CT any time.

[seanmcelroy]

HPKP is what the article you posted to is referring to, and probably will go away completely.

However, profiling the public key of the site a mobile app connects to and erroring out if it is compromised to prevent MitM attacks is called 'certificate pinning' for mobile apps but is not related to the HPKP pinning of browsers. A reference for certificate pinning: https://blog.netspi.com/certificate-pinning-in-a-mobile-appl...

[asterius]

It seems grandiose to call that 'certificate pinning' when it is just hard coding, e.g. a self-signed CA cert or (worse) a particular server cert.

Makes me suspect that a lot of client side validation is happening with mobile apps.

[djrogers]

Presumably GP was talking about in-app certificate pinning, not Google’s opinion of the day...