Yes. Certification revocation doesn't work in MITM scenario because of the way it's implemented in every major browser:

http://news.netcraft.com/archives/2013/05/13/how-certificate...

That's why it's so vital for everyone to implement Perfect Forward Secrecy. Yes, it's a little late for that now in regards to this bug, but who knows what others bugs like this will be discovered in the future. Let's at least not make the same mistake twice, by not taking advantage of PFS, which could've prevented most of the damage from Heartbleed.

As much as I'm a fan of Perfect Forward Secrecy, it does not protect you against MITM with old certificates.

Also, how does issuing a new certificate work with certificate pinning, whether tack.io or built into the browser?

I was working on a standalone certificate checker last year but couldn't figure this one out.

Doesn't browser pinning usually pin to the CA?

That would be the answer I was looking for. :)

until it's revoked.