App Revocation Checking: Why is this still so hard?

Abstract

Certificate revocation checking is a cornerstone to the security of the public key infrastructure ecosystem, but it is unknown how well mobile applications are conducting certificate revocation checking. In this lightning talk, I discuss our work studying hundreds of mobile applications across over 250,000 captured handshakes: and we found 0 revocation checks. I conclude this talk by discussing some reasons it is currently difficult for developers to properly check for revocations.