[tknkx]

The way I understand it is: certificate revocation is handled by checking OCSP servers, and OCSP servers can be programmed so they give different answers depending on the IP address of whomever is asking. In other words, it should be possible to disable all addons for a selected user by targeting him by IP address.

[soulofmischief]

That is such a massive security flaw, and if any other company had such a power over my browser experience I would drop their product immediately.

Mozilla, you've really been testing my patience for the last two years.

[crehn]

Seems that Firefox skips revocation checks for CA certs [1].

[1] https://wiki.mozilla.org/CA/Revocation_Checking_in_Firefox

[marcinzm]

Where does it say that? The link says they centrally manage revocations using OneCRL and then push a single revocation list to browsers (independent of browser updates). Which means they can revoke any certificate they want using that mechanism.

[crehn]

Ah, you're correct. Seems they skip CA CRL/OCSP in favor of their own CRL. Thanks for the correction.