On 4 Dec 2023 10:29 +0000, from debianu...@woodall.me.uk (Tim Woodall): > Some years ago I abandoned firefox because there was no way to override > one of its 'I'm sorry Dave, I'm afraid I can't do that' spasms. > > It's crazy that they make things like certificate pinning *impossible* > to override.
Firefox deprecated support for HPKP in version 72 in January 2020, in response to their issue 1412438. https://bugzilla.mozilla.org/show_bug.cgi?id=1412438 https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/72#security Looks like it was originally implemented in Firefox 35, which dates back to January 2015. https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/35#network_security Apparently present-day versions allow _enabling_ HPKP by adding a configuration setting which does not exist by default, but finding a current MDN page even detailing the format of the HPKP HTTP header appears non-trivial; the Wayback Machine has a copy, but going to the current page by URL redirects to the one for Expect-CT which _too_ is deprecated. https://web.archive.org/web/20211104105929/https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Public-Key-Pins#browser_compatibility https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning#Browser_support_and_deprecation -- Michael Kjörling 🔗 https://michael.kjorling.se “Remember when, on the Internet, nobody cared that you were a dog?”
