Someone should set up a bet about what point in time more than 50% of MITM attempts with revoked (& Heartbleed-snarfed) certs will be caught by default configured browsers. "Never?"
This and lack of PFS are much bigger catastrophes than
the OpenSSL debacle in itself.
(PFS: supported by TLS but disabled by almost everyone so all your old traffic is decryptable with heartbled cert).
Personally, I am for a hard fail OCSP option in HSTS or certificate plus OCSP stapling. Default to soft fail with a warning message for now. Remember captive portals can use OCSP stapling too.
zurn|12 years ago
This and lack of PFS are much bigger catastrophes than the OpenSSL debacle in itself.
(PFS: supported by TLS but disabled by almost everyone so all your old traffic is decryptable with heartbled cert).
yuhong|12 years ago