i was wondering if this is more a problem with how third parties are handling SSL custom domains rather than HPKP. I would have thought SSL custom domains would have been you just upload a certificate/private key you want to use or you click a checkbox saying that you are happy to use letsencrypt. But I'm guessing for various reasons (no SNI support, etc) some of these companies are using a massive shared certificate.
also, if you are building a competing product with someone that is doing custom SSL domains it might be useful to check out if your competitor is using a shared cert because you can get a list of companies that are paying for the premium product :)
This is a really good point, and I feel like the two issues are intertwined. I think HPKP being heavily adopted as it's spec'ed now makes it even harder for third parties trying to do the Right Thing, and their customers from taking advantage of it.
Most of the problems I've seen with pushing HTTPS and the vulnerable CA problem forward really do break down at the "third party provider" boundary, which is a little surprising, because it's an amazingly common situation now, and has been for a while.
also, if you are building a competing product with someone that is doing custom SSL domains it might be useful to check out if your competitor is using a shared cert because you can get a list of companies that are paying for the premium product :)