[jtl999]

> in fact it was deprecated in 2017 because it caused so many problems. Instead things like HSTS and transparency logs are used to prevent damage from malicious issuance of certificates, and organizations can typically override things with their own CA.

Still kinda salty that pinning was deprecated from HTTPS. It wasn't perfect (accidental/malicious pinning was far too easy seeing how it was merely controlled by an HTTP header), but the current alternatives (Certificate Transparency, CAA DNS records) aren't an adequate replacement. Sure Certificate Transparency helps to detect a misused certificate, but it doesn't actively prevent it from being used, and CAA requires that the CA isn't "lying" about the header through a "bug" or otherwise.