Using the Public Key Pinning header the user will only trust in my SSL Certificate, supposedly.
If I use only the HPKP and the certificate is safe, the attacker not got it, still possible the attacker do a MITM or something like that?
In my mind, probably wrong, the attacker still able to redirect the user to another location, but he not have the cert, so the HPKP will block it. This will prevent the user to consume the content from the fake server.
Have a reason to use HPKP + DNSSEC?
HPKP is TOFU(Trust On First Use). So if a user system compromised, but the browser still retain the pin, when the malware redirect the url request to a fake certificate to their phony proxy. the browser will show error like "SSL_PINNED_KEY_NOT_IN_CERT_CHAIN" (varied depends on browser).
However, there is some site doing it wrongly, e.g. as report by Netcraft : HTTP Public Key Pinning: You’re doing it wrong!
In addition, because its TOFU nature, HPKP is not bulletproof to MiTM.
However, if you have an webapp/mobile app that inherit pin for HPKP, then your webapp are protected from MiTM attack if implemented properly
