

Revocation still doesn't work - moonboots
https://www.imperialviolet.org/2014/04/29/revocationagain.html

======
zurn
Someone should set up a bet about what point in time more than 50% of MITM
attempts with revoked (& Heartbleed-snarfed) certs will be caught by default
configured browsers. "Never?"

This and lack of PFS are much bigger catastrophes than the OpenSSL debacle in
itself.

(PFS: supported by TLS but disabled by almost everyone so all your old traffic
is decryptable with heartbled cert).

------
yuhong
Personally, I am for a hard fail OCSP option in HSTS or certificate plus OCSP
stapling. Default to soft fail with a warning message for now. Remember
captive portals can use OCSP stapling too.

