Do CRLs even work? My understanding is that the only browser that hard-fails to load a page if OCSP is blocked is Chrome for certs in CRLSets. Everyone else is vulnerable to MITM if access to the CRL / OCSP servers is blocked.
I would love to be wrong. Does anyone know if anything has changed for the better since 2011?