| ||
There are a couple of basic patterns to watch out for; the first covers the most damning failure of not performing certificate validation properly:
SSL or TLS is used, and
HTTPS is not used, and
The library or client application code fails to check whether the server certificate is endorsed by a known CA, or
The library or client application code fails to validate the specific data within the server certificate.
When the application cant cross this bar, the certificate revocation problem is essentially irrelevant because there are much bigger problems than stolen credentials.
If your application gets the basics right, then heres the pattern for CRL issues:
SSL or TLS is used, and
No attempt is made to ensure that the servers private key hasnt been stolen, or that the certificate was otherwise revoked .