it's a pretty neat and simple idea:
Kill HSTS through NTP by sending victims PC into the future.
https://www.blackhat.com/docs/eu-14/materials/eu-14-Selvi-Bypassing-HTTP-Strict-Transport-Security-wp.pdf
Same should work for HPKP. The idea of setting some security feature
through a header needs a revisit. The solution would be to have a more reliable PC time. How do we do
that?
See
https://www.blackhat.com/docs/eu-14/materials/eu-14-Selvi-Bypassing-HTTP-Strict-Transport-Security-wp.pdf