A new study offers the first end-to-end evaluation of the Web's certificate revocation ecosystem, which includes website administrators that obtain and revoke certificates, certificate authorities that publish a list of revoked certificates, and browsers that check the revocation list to authenticate a website.

The study results reveal that website administrators are providing a large number of revoked certificates, certificate authorities are not using newer processes for distributing revocations, and Web browsers are not checking whether certificates have been revoked. The findings indicate that all participants in the revocation ecosystem must improve their performance to fulfill their responsibilities and ensure system success.

"The findings paint a bleak picture, because users put an immense amount of trust into the browsers they use and the websites they visit to do what is necessary to protect their security," says study co-author Dave Levin, an assistant research scientist at the University of Maryland Institute for Advanced Computer Studies.

The results of the study will be presented October 29, 2015 at the Association for Computing Machinery Internet Measurement Conference (ACM IMC) in Tokyo. Levin conducted the study with researchers from Stanford University, Northeastern University, Duke University and Akamai Technologies.

Secure online communication requires authentication--a user's ability to determine with whom he or she is communicating. Central to achieving authentication on the Web is a system known as the Public Key Infrastructure (PKI), which consists of certificates and encryption keys. While online use of the PKI is mostly automated, the system requires a surprising amount of human intervention to maintain the validity of the certificates.

http://www.sciencedaily.com/releases/2015/10/151028123956.htm