Re: Unintended consequences of Browser Fascism
Of course, if you're connecting to routerlogin.net, it's entirely possible that you're doing so because you've lost your Internet connection. In that case OCSP won't work, and OCSP defaults to failing insecure.
So maybe your browser or OS (if the browser delegates this to the OS) downloaded a CRL from Entrust Datacard that includes this revocation, in which case you'll see a warning about a revoked certificate. How many users will just click through that?
And, of course, once the certificate expires, so will the revocation.1 At some point the remaining potentially vulnerable users will see a certificate-expired warning rather than a certificate-revoked one, which seems much less worrisome to users, even technically-experienced ones.
Of course Netgear will no doubt admit there's an issue and fix it with a firmware update, just as soon as they finish ice-skating in Hell.
(And, yes, I realize this is just another case of the unattended-server private-key problem, which we've known about since the '80s, and which has no good solution.)
1This is a well-known problem with timestamped signatures as well. That's not relevant in this context, but it's Yet Another gaping flaw in the PKIX use of X.509 revocation.