[mseebach]

Judging by how Google says they stumbled over this, "Chrome detected and blocked an unauthorized digital certificate", it seems that's roughly what they're doing. I wonder how many sites it's able to do this for.

(but yes, that is definitely a good solution)

[schoen]

You can see the pins list at

https://src.chromium.org/viewvc/chrome/trunk/src/net/base/tr...

Those are the sites that they're currently able to do it for. :-)

If anyone reading wants to have your own site added to the HSTS preload (or perhaps cert pin) lists, I think the Chromium developers are interested in hearing from you. I know they'll add HSTS preloads for any site, but I don't know for sure whether there's a size or popularity threshold of some sort for a cert pin.

[danielweber]

Chrome (the browser) is super-paranoid about other people replacing google.com certificates. It knows exactly what they should be and anything else is cause for alarm. 'tptacek talks about it from time to time.

[jcase]

Indeed. Chrome has baked-in public key pinning for their services.

http://www.imperialviolet.org/2011/05/04/pinning.html