> Do current browsers entirely prevent a connection to untrusted certs when HSTS is set?
Yes. HSTS would not do much to prevent active MiTM. HSTS just tells the browser that it should only connect to the site over HTTPS. It does not mention which certificates are trusted.
It seems like you are hinting towards certificate pinning (https://en.wikipedia.org/wiki/Transport_Layer_Security#Certi...). Pinning would prevent rouge CA's from signing bad certificates, but pinning is hard to do on the web. It is mainly used with mobile applications from what I have seen.
It seems like you are hinting towards certificate pinning (https://en.wikipedia.org/wiki/Transport_Layer_Security#Certi...). Pinning would prevent rouge CA's from signing bad certificates, but pinning is hard to do on the web. It is mainly used with mobile applications from what I have seen.
Edit: Here is a list of pinned sites in Chrome, if you are curious. (https://src.chromium.org/viewvc/chrome/trunk/src/net/http/tr...)