Hacker News new | past | comments | ask | show | jobs | submit login

It is part of the RFC: if a certificate is signed by a root certificate that is trusted in your private store (meaning it was added later on), HPKP is ignored. Unfortunately, this is required in the enterprise world where corporate MiTM is often done (Palo Alto Network SSL proxy, Websense/Forcepoint, Zscaler, Blue Coat, etc.) for content inspection.



>Unfortunately, this is required in the enterprise world where corporate MiTM is often done

This still should not be the default, rather corps should have an easy about:config switch they can flip. The default should protect private users.


How is that a meaningfully different experience? Anything able to install a CA can flip the config value.




Consider applying for YC's first-ever Fall batch! Applications are open till Aug 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: