In reply to a post by Pheasant:

which aren’t flagging the revoked certificate.

Openreach are using sectigo for this cert, whom don't have the best reputation, formerly Comodo they renamed themselves after the brand was tarnished due to the CA not issuing certificates in accordance with their own procedures. Hence the likes of Mozilla, Apple and Microsoft took action to block many of their certs.

Sectigo have a page on their site that says what to "do" if you hit this problem, which mostly reinstalls various Windows DLLs that are used by IE (??) and tells you to clear the cache in Firefox and other browsers.

Why Openreach are using Sectigo for the map and Digicert for the main site is very strange, you typically have one CA provider. My guess is the map is outsourced to a third party whom have foolishly used Sectigo.

For example, one thread of issues getting Sectigo to respond to problematic certs:
https://bugzilla.mozilla.org/show_bug.cgi?id=1639805

Edited by jchamier (Sat 08-Jan-22 19:45:02)

Ah turns out it was working on my chrome, edge, firefox.

After some investigation my end it seems that I have a load of disabled security settings for firefox as a long time ago i used firefox to access an internal site that was secure 50% of the time depending what computer was being used and depending how many times I would reboot the web server, it was the only way to access it.

Since the internal site is no longer exists I have reset firefox to default and it now no longer access the site.

I will admit I haven't used firefox that much recently, mainly the two RAM suckers (unfortunately the reason i moved to this was due to an extension i needed (only on chrome or chromium based browsers)

In reply to a post by jchamier:

My guess is the map is outsourced to a third party whom have foolishly used Sectigo.

Indeed.

In short, it’s because checking certificate revocation is slow and relatively expensive: maximum security means blocking the connection until the check is complete.

https://www.ssl.com/blogs/how-do-browsers-handle-rev...

You can enable OCSP and CRL in most browser configurations, but many are off by default to make the browser feel more responsive when making new TLS connections.

In reply to a post by DougM:

In short, it’s because checking certificate revocation is slow and relatively expensive: maximum security means blocking the connection until the check is complete.

https://www.ssl.com/blogs/how-do-browsers-handle-rev...

You can enable OCSP and CRL in most browser configurations, but many are off by default to make the browser feel more responsive when making new TLS connections.

Firefox does this and still feels faster than chrome.

In The latest version of Edge I typed 'edge://components' in the browser and for 'CRLSet' I pressed 'Check for Updates' and although it said 'No update available' I am now getting the revoke message although this maybe a coincidence as I tried in on another device and am not getting the revoke message.