Skip to main content

Insecure Network Communication

Fixing Certificate Validation

About Certificate Validation

What is Improper Certificate Validation?

Improper certificate validation refers to a security vulnerability where a system fails to properly verify the authenticity of a digital certificate presented by a remote party during a communication. This can lead to the acceptance of forged or malicious certificates, allowing attackers to perform various attacks such as man-in-the-middle attacks or impersonation attacks.

Proper certificate validation is crucial for maintaining the security of SSL/TLS encrypted communication and ensuring the confidentiality, integrity, and authenticity of data exchanged over the network.

Check out these videos for a high-level explanation:

  • Weak certificate validation

  • Improper certificate pinning

What is the impact of Improper Certificate Validation?

Improper certificate validation can lead to a range of security threats, including:

  • Man-in-the-middle attacks: Attackers can intercept communication between two parties and read or modify the data exchanged between them.
  • Data breaches: Attackers can gain unauthorized access to sensitive information or sensitive systems, leading to data breaches.
  • Malware distribution: Attackers can use fake digital certificates to distribute malicious software or infect systems with malware.

Overall, improper certificate validation can undermine the security of encrypted communication and compromise the confidentiality, integrity, and authenticity of data exchanged over the network.

How to prevent Improper Certificate Validation?

To prevent improper certificate validation, it is important to follow security best practices, such as:

  • Use trusted certificate authorities: Only trust digital certificates issued by well-known and trusted certificate authorities.
  • Verify certificate chains: Verify that the certificate presented by the remote party is valid and issued by a trusted certificate authority. Verify the entire certificate chain, including intermediate certificates.
  • Check certificate revocation status: Check the revocation status of the certificate presented by the remote party to ensure that it has not been revoked.
  • Use certificate pinning: Implement certificate pinning to ensure that the communication only occurs with the exact certificate or certificate authority specified.
  • Keep software up to date: Keep software and security protocols up to date, as new vulnerabilities and security patches are regularly released.

Overall, proper certificate validation is crucial for maintaining the security of encrypted communication, and following these best practices can help prevent improper certificate validation and mitigate related security risks.

References

Taxonomies

Explanation & Prevention

Training

Option A: Ensure certificate validation

Insecure certificate validation, even in a WebView implementation, where SSL Certificate errors are ignored and any SSL certificate is accepted can lead to Man-in-the-middle attacks.

  1. Go through the issues that GuardRails identified in the PR/MR.
  2. Look for patterns like:
    • setAllowsAnyHTTPSCertificate:YES
    • allowsAnyHTTPSCertificateForHost
    • loadingUnvalidatedHTTPSPage=YES
    • canAuthenticateAgainstProtectionSpace
    • continueWithoutCredentialForAuthenticationChallenge
    • kCFStreamSSLAllowsExpiredCertificates
    • kCFStreamSSLAllowsAnyRoot
    • kCFStreamSSLAllowsExpiredRoots
    • validatesSecureCertificate=NO
    • allowInvalidCertificates=YES
  3. Make sure that they don't apply to production code, otherwise remove them or set the to the secure setting.

Option B: Rely on secure TLS versions

All versions of TLS v1.2 and below, including SSL have been considered insecure and it is recommended to switch to TLS v1.3.

Look for patterns like:

  • TLSMinimumSupportedProtocolVersion:
    • Use tls_protocol_version_t.TLSv13, or tls_protocol_version_t.DTLSv10 instead.
  • tlsMinimumSupportedProtocol:
    • Is deprecated, use TLSMinimumSupportedProtocolVersion instead.