When connecting to a site, a lot of the TLS logic is in the background and not visible to the user. Mozilla should implement a policy that going forward, all TLS insights should be easily available to the user, and the browser shouldn't make any TLS operations that can't be verified.
For example a user can never know if a site passed the CRLite check correctly. Was the OCSP live check passed? Was there a stapled OCSP response? This should be included in the security info pop-up from the address bar and should include the following info:
status of all checks:
- CRLite
- Certificate Transparency log
- live OCSP (online CA check)
- stapled OCSP response
other relevant info:
- HSTS (and where this policy came from, i.e. the from the first visit or a preloaded list)
- Public Key Pinning
- any relevant DNS records that involve security
This would fix issues like the following:
why are some revoked certificates being allowed?
- https://revoked-isrgrootx1.letsencrypt.org/
- https://revoked.badssl.com/
are both allowed when live OCSP checks fail or are disabled, but this is not obvious to the user that any checks failed - and presumably these certificates were not revoked with a CRL)
- https://revoked.grc.com/
is correctly revoked even with a disabled live OCSP check (presumably because it is revoked with a CRL checked by CRLite? - again the user has no idea)