Chrome's pinning is a definite upgrade, but it's more vulnerable than some people make it seem. In practice, a pin consists of a list of CA certificates which are allowed to sign for the given domain (the list is in [1]). This list can be surprisingly long: for example, the list for twitter.com contains 22 keys from 3 different CAs.
This means that, e.g., if you are "good friends" with Verisign, you can get them to issue a certificate for any Google property, and Chrome will happily accept it.
This means that, e.g., if you are "good friends" with Verisign, you can get them to issue a certificate for any Google property, and Chrome will happily accept it.
[1] https://src.chromium.org/viewvc/chrome/trunk/src/net/http/tr...