JPLer here, digicert revoked 90%+ of our certs in some form of user error on their end. We have a self-service tool that anyone on lab can request a cert from, even for internal only stuff its externally trusted so there's thousands of certs issued through them. All *.jpl.nasa.gov certs got revoked, lots of other sub-domains did too.
That was a fun day having people re-issue thousands of certificates. Not surprised some stuff still hasn't been noticed.
HN is pretty hilarious at times. I love when things like this happen (a peek behind the scenes with added context). You get it right from someone who works there! Amazing.
Because OCSP is not reliable. Yeah, SSL/TLS is still broken at large, can you believe it, by default, there is NO reliable way to revoke a certificate... If OCSP times out, it just times out, the browser simply ignores it and loads the page without warnings. Active attackers can just block the OCSP server before they can use a revoked certificate with leaked private key to launch a MITM attack.
This is why we need OCSP pinning and OCSP Must Staple. OCSP pinning makes the web server itself to delegate OCSP responses in-band, thus eliminates the need for clients to make an unreliable connection to a 3rd-party, improves both security and performance. OCSP Must Staple is a certificate attribute that forces the browser to enforce pinned OCSP checkings. This is also the reason that Let's Encrypt limits the certificate lifetime to 90 days.
