True, to really make revocation distribution work via DNS you also need DNSSEC, but unfortunately DNSSEC deployment is not widespread and registrars discourage adoption (FULL DISCLOSURE I'm on author on these).

The idea of using DNS to distribute revocations has been explored in the academic literature (no, I'm not an author on this paper). The idea of distributing revocations through DNS is related to the idea of distributing TLS key material through DNS, which is the goal of DANE.

CRLite is a system that preemptively pushes all revocation information to TLS clients such as browsers (FULL DISCLOSURE, I'm on author on this). CRLite works because all valid TLS certificates are publicly known in the Certificate Transparency logs, which means all revocations can be crawled. CRLite crawls them, packages the information in a highly compressed data structure, and then pushes that to clients. Mozilla has announced that they are adopting CRLite in Firefox (see here, here, and here). CRLite is a better solution than CRLs and OCSP, at least until (1) we settle on a world where all certificates are extremely short-lived, say 1 week, or (2) OCSP Must-Staple is widely deployed by certificate owners and supported by TLS clients (but don't hold your breath, we're not there yet, FULL DISCLOSURE I'm an author on this too).

Paul Francis is quoted because he's studied this exact phenomena. The relevant paper is here: Challenges in Measuring Online Advertising Systems Internet Measurement Conference 2011 Saikat Guha (Microsoft Research) Bin Cheng (MPI-SWS) Paul Francis (MPI-SWS) http://conferences.sigcomm.org/imc/2010/papers/p81.pdf Part of the paper focuses on how Facebook ads are targeted. Experiment 8, page 5, looks at the impact of sexual preference on ads. The result is that gay men on Facebook are targeted with ads that 1) target them exclusively, and 2) don't mention that they are gay related. The example given is an ad for nursing school. The problem is even if a person isn't publicly revealing their sexual preference, an advertiser can infer user's preference based on clicks. The user has no idea that they are implicitly disclosing the information, because they have no idea they are being targeted by a very narrow segment of ads. I would agree though, if you're really, really worried about your sexual preference leaking, then Facebook isn't a wise organization to entrust the information to...

You are very right: Facebook (and Twitter, etc) are already being targeted by this. We're currently trying to quantify the scope of the problem on Facebook.

Stopping crowdturfing is an extremely hard problem. Traditional anti-spam techniques all assume a certain amount of automation on the part of attackers. Mass e-mail spam can be detected by using statistical methods and machine-learning to assess content similarity and look for templates. CAPTCHAs and other Turing tests can hinder bots from logging into social networks, and thus quash the flow of spam. However, when spam is generated by humans, these assumptions are totally shot. Turing tests don't work, each piece of spam content can be tailored to be unique, etc.

Legislation will probably need to be part of the solution, but it won't be 100% effective. Currently, crowdturfing sites operate in the open. Criminalizing them will push them underground, which will hopefully reduce their attractiveness to workers (and thus reduce the amount of spam that is generated). The ban would need to be global though (good luck with that...), otherwise crowdturfing operations can just move offshore.