On Thu, Feb 19, 2015 at 12:15 PM, Anne van Kesteren <ann...@annevk.nl> wrote: > On Thu, Feb 19, 2015 at 6:10 PM, Jeffrey Walton <noloa...@gmail.com> wrote: >> On Mon, Feb 16, 2015 at 3:34 AM, Anne van Kesteren <ann...@annevk.nl> wrote: >>> What would you suggest instead? >> >> Sorry to dig up an old thread. >> >> Here's yet another failure that Public Key Pinning should have >> stopped, but the browser's rendition of HPKP could not stop because of >> the broken security model: >> http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/. > > That does not really answer my questions though. > Good point.
Stop letting externalities control critical security parameters unmolested since an externality is not the origin nor the the user. HPKP has a reporting mode, but a broken pinset is a MUST NOT report. Broken pinsets should be reported to the user and the origin so the browser is no longer complicit in covering up for the attacker. Jeff