You are assuming an arbitrarily advanced adversary who is assumed to pull both an MITM and also attempt to block access to the CA's servers. When in reality that may very well not be the case. Just because someone is doing an MITM does not mean that they will also block access to the CA's servers.
Secondly the MITM can happen at different levels. If the server that is sending you the response is being MITM'd but you are not, then you can safely access CA's servers and check for revocation. The MITM does not necessarily affect the client in a manner as to guarantee the failure to access the CA's servers.
And finally these personal attacks and Steve Gibson bashing really gets old.
Perhaps he made some mistakes or took controversial positions like ... when? 10 years ago? and people wont let it go.
The exclamation points and all caps and colored text and the ugly web pages is just his utilitarian and old-school style.
I listen to his weekly Security Now podcast and without failure he is well-prepared, thorough, accurate and correct. Even when he makes a small mistake next week he comes along, specifies the exact mistake and apologises and corrects it.
Instead every time he is mentioned someone comes along and says "ew hurr durr 10 years ago he said something about raw sockets in XP".
My point is, no one is perfect, and he certainly has not done anything to deserve these personal bashings and attacks from the community, if anything he is a long-time contributor, has put many tools available online and is now developing the SQRL login systems in the public ... so ... give him a break.
By far the most common MITM attack is through untrusted WiFi networks. That's when SSL is most valuable to the user, and also when it's easiest for an attacker to block access to CA servers. Other kinds of MITM attacks are so much less common they're barely worth talking about in this context.
IMO, an adversary that can extract a cert using Heartbleed and set up a MITM should also be advanced enough to block some IP addresses.
I'm confused by the rest of your comments about Gibson. All I said about him was that he continues to generate hysteria without providing details or citing prior discussion. The only things I'm accusing him of are things he is still doing today.
He has announced that the current state of cert revocation will be covered in detail on the next upcoming episode of Security Now. The current page is wordy and lacking, and I will be very surprised if he doesn't update it with real substantiating information soon.
> I listen to his weekly Security Now podcast and without failure he is well-prepared, thorough, accurate and correct. Even when he makes a small mistake next week he comes along, specifies the exact mistake and apologises and corrects it.
> Perhaps he made some mistakes or took controversial positions like ... when? 10 years ago? and people wont let it go.
According to archive.org [1] the password haystack page [2] is from June 2011. He hasn't changed his "controversial" opinion on that matter yet.
Firstly the cert revocation check does work.
You are assuming an arbitrarily advanced adversary who is assumed to pull both an MITM and also attempt to block access to the CA's servers. When in reality that may very well not be the case. Just because someone is doing an MITM does not mean that they will also block access to the CA's servers.
Secondly the MITM can happen at different levels. If the server that is sending you the response is being MITM'd but you are not, then you can safely access CA's servers and check for revocation. The MITM does not necessarily affect the client in a manner as to guarantee the failure to access the CA's servers.
And finally these personal attacks and Steve Gibson bashing really gets old.
Perhaps he made some mistakes or took controversial positions like ... when? 10 years ago? and people wont let it go.
The exclamation points and all caps and colored text and the ugly web pages is just his utilitarian and old-school style.
I listen to his weekly Security Now podcast and without failure he is well-prepared, thorough, accurate and correct. Even when he makes a small mistake next week he comes along, specifies the exact mistake and apologises and corrects it.
Instead every time he is mentioned someone comes along and says "ew hurr durr 10 years ago he said something about raw sockets in XP".
My point is, no one is perfect, and he certainly has not done anything to deserve these personal bashings and attacks from the community, if anything he is a long-time contributor, has put many tools available online and is now developing the SQRL login systems in the public ... so ... give him a break.