Revocation still doesn't work

Someone should set up a bet about what point in time more than 50% of MITM attempts with revoked (& Heartbleed-snarfed) certs will be caught by default configured browsers. "Never?"

This and lack of PFS are much bigger catastrophes than the OpenSSL debacle in itself.

(PFS: supported by TLS but disabled by almost everyone so all your old traffic is decryptable with heartbled cert).

Personally, I am for a hard fail OCSP option in HSTS or certificate plus OCSP stapling. Default to soft fail with a warning message for now. Remember captive portals can use OCSP stapling too.