Chrome has pinning too (in fact, Firefox's baseline list for HSTS and pinning is extracted from there). AFAIK, Mozilla just didn't ask for their domains to be pinned in Chromium. I don't think lack of support for MITM attacks is a bug that should be addressed. It's a security liability even when used internally by an organization.
The system certificate store is used for everything else, so if you're not looking at the bigger picture it has little value. However, it does have real value because it provides a lot of leverage with the CAs via the browser's usage share. It's also the system certificate store on many platforms (Linux, *BSD) and using it universally keeps it tested and maintained.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
