

Ask HN: Certificate Revocation for Heartbleed? - snewman

As we all know by now, any certificate potentially exposed via the Heartbleed bug should be revoked, and a new certificate generated. However, certificate revocation appears to be of dubious effectiveness in practice [0]. As a site operator, is there any practical measure I can take to give teeth to a revocation?<p>[0] http:&#x2F;&#x2F;news.netcraft.com&#x2F;archives&#x2F;2013&#x2F;05&#x2F;13&#x2F;how-certificate-revocation-doesnt-work-in-practice.html
======
late2part
You are at the whims of the clients and the browsers they are using.

But, you already are, as they decide whether or not to trust or verify the
authenticity of your certificate.

You can and should revoke, but it's not clear to me that you can increase the
efficacy of that action with your clients.

