It's substantially stronger than ordinary certificate authorities without certificate pinning in many ways. (Namely, an entity out of your control (a certificate authority) being compromised / exploited / coerced doesn't also compromise you.)
The weak point is at initial connection (i.e. before you have the certificate pinned, or if the certificate changes legitimately and you have no way of confirming that fact). However, even in this case it is no worse than without pinning.
(I wish that HTTPS had a certificate-passing mechanism. I.e. if the given certificate doesn't match the pinned one you contact a site that you have the certificate for already and ask it to give you the certificate it believes is for the site. Do this for the same website with multiple sites and you'll have a good idea if someone is not trying to MITM you. You'd have to have rate limiting, etc, etc, but it would in many ways solve this problem. Unfortunately, it's something that would have to be built into the protocol, or else it would be blocked often enough to not be useful. (ICMP and firewalls, for example))
In the extremely common case of visiting a site for the first time on a new device or user agent, it provides almost no security at all. There are other problems, but that's a pretty big one.
It's substantially stronger than ordinary certificate authorities without certificate pinning in many ways. (Namely, an entity out of your control (a certificate authority) being compromised / exploited / coerced doesn't also compromise you.)
The weak point is at initial connection (i.e. before you have the certificate pinned, or if the certificate changes legitimately and you have no way of confirming that fact). However, even in this case it is no worse than without pinning.
(I wish that HTTPS had a certificate-passing mechanism. I.e. if the given certificate doesn't match the pinned one you contact a site that you have the certificate for already and ask it to give you the certificate it believes is for the site. Do this for the same website with multiple sites and you'll have a good idea if someone is not trying to MITM you. You'd have to have rate limiting, etc, etc, but it would in many ways solve this problem. Unfortunately, it's something that would have to be built into the protocol, or else it would be blocked often enough to not be useful. (ICMP and firewalls, for example))