This post has an incomplete and somewhat dismissive take on certificate pinning.
It's true that pinning involves a degree of trust on the certificate presented on the first connection, and that is a weakness.
But that weakness is mitigated. Browsers also rely on the CA signatures for that certificate (pinning augments CAs, but doesn't replace them).
The potency of pinning is subtle, because nobody trusts CAs (and shouldn't!). You have to think beyond just your browser, and you have to grok that CAs are a finite resource for your adversaries. You trust the CA-signed pinned cert for an HPKP site on the first connection. But other browsers have had that pin cached, and when the pin is tampered with, they don't trust it. When they see the broken pin, they can do more than just not trust the connection: they can also relay the evidence that a CA is implicated in signing a certificate that breaks a pin.
Google won't say so specifically, but it's not unlikely that some of the last few CAs to have been burned by trying to sign Google sites were caught because of pinning.
Pinning protects more than individual browsers; it also uses the installed base of pinning browsers to protect everyone, not just those using pinning browsers, by turning them into a global surveillance system for compromised CAs.
It's true that pinning involves a degree of trust on the certificate presented on the first connection, and that is a weakness.
But that weakness is mitigated. Browsers also rely on the CA signatures for that certificate (pinning augments CAs, but doesn't replace them).
The potency of pinning is subtle, because nobody trusts CAs (and shouldn't!). You have to think beyond just your browser, and you have to grok that CAs are a finite resource for your adversaries. You trust the CA-signed pinned cert for an HPKP site on the first connection. But other browsers have had that pin cached, and when the pin is tampered with, they don't trust it. When they see the broken pin, they can do more than just not trust the connection: they can also relay the evidence that a CA is implicated in signing a certificate that breaks a pin.
Google won't say so specifically, but it's not unlikely that some of the last few CAs to have been burned by trying to sign Google sites were caught because of pinning.
Pinning protects more than individual browsers; it also uses the installed base of pinning browsers to protect everyone, not just those using pinning browsers, by turning them into a global surveillance system for compromised CAs.