Someone should set up a bet about what point in time more than 50% of MITM attempts with revoked (& Heartbleed-snarfed) certs will be caught by default configured browsers. "Never?"<p>This and lack of PFS are much bigger catastrophes than
the OpenSSL debacle in itself.<p>(PFS: supported by TLS but disabled by almost everyone so all your old traffic is decryptable with heartbled cert).
Personally, I am for a hard fail OCSP option in HSTS or certificate plus OCSP stapling. Default to soft fail with a warning message for now. Remember captive portals can use OCSP stapling too.