Insecure Network Communication
Fixing Certificate Validation
About Certificate Validation
What is Improper Certificate Validation?
Improper certificate validation refers to a security vulnerability where a system fails to properly verify the authenticity of a digital certificate presented by a remote party during a communication. This can lead to the acceptance of forged or malicious certificates, allowing attackers to perform various attacks such as man-in-the-middle attacks or impersonation attacks.
Proper certificate validation is crucial for maintaining the security of SSL/TLS encrypted communication and ensuring the confidentiality, integrity, and authenticity of data exchanged over the network.
Check out these videos for a high-level explanation:
Weak certificate validation
Improper certificate pinning
What is the impact of Improper Certificate Validation?
Improper certificate validation can lead to a range of security threats, including:
- Man-in-the-middle attacks: Attackers can intercept communication between two parties and read or modify the data exchanged between them.
- Data breaches: Attackers can gain unauthorized access to sensitive information or sensitive systems, leading to data breaches.
- Malware distribution: Attackers can use fake digital certificates to distribute malicious software or infect systems with malware.
Overall, improper certificate validation can undermine the security of encrypted communication and compromise the confidentiality, integrity, and authenticity of data exchanged over the network.
How to prevent Improper Certificate Validation?
To prevent improper certificate validation, it is important to follow security best practices, such as:
- Use trusted certificate authorities: Only trust digital certificates issued by well-known and trusted certificate authorities.
- Verify certificate chains: Verify that the certificate presented by the remote party is valid and issued by a trusted certificate authority. Verify the entire certificate chain, including intermediate certificates.
- Check certificate revocation status: Check the revocation status of the certificate presented by the remote party to ensure that it has not been revoked.
- Use certificate pinning: Implement certificate pinning to ensure that the communication only occurs with the exact certificate or certificate authority specified.
- Keep software up to date: Keep software and security protocols up to date, as new vulnerabilities and security patches are regularly released.
Overall, proper certificate validation is crucial for maintaining the security of encrypted communication, and following these best practices can help prevent improper certificate validation and mitigate related security risks.
References
Taxonomies
- OWASP Top 10 - A07 Identification and Authentication Failures
- CWE-295: Improper Certificate Validation
Explanation & Prevention
- OWASP: Transport Layer Protection Cheat Sheet
- OWASP: Certificate and Public Key Pinning
- WASC-04: Insufficient Transport Layer Protection
- The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software
- OpenSSL Hostname Validation documentation
Related CVEs
Training
Option A: Ensure certificate validation
Insecure certificate validation, even in a WebView implementation, where SSL Certificate errors are ignored and any SSL certificate is accepted can lead to Man-in-the-middle attacks.
- Go through the issues that GuardRails identified in the PR/MR.
- Look for patterns like:
setAllowsAnyHTTPSCertificate:YES
allowsAnyHTTPSCertificateForHost
loadingUnvalidatedHTTPSPage=YES
canAuthenticateAgainstProtectionSpace
continueWithoutCredentialForAuthenticationChallenge
kCFStreamSSLAllowsExpiredCertificates
kCFStreamSSLAllowsAnyRoot
kCFStreamSSLAllowsExpiredRoots
validatesSecureCertificate=NO
allowInvalidCertificates=YES
- Make sure that they don't apply to production code, otherwise remove them or set the to the secure setting.
Option B: Rely on secure TLS versions
All versions of TLS v1.2 and below, including SSL have been considered insecure and it is recommended to switch to TLS v1.3.
Look for patterns like:
TLSMinimumSupportedProtocolVersion
:- Use
tls_protocol_version_t.TLSv13
, ortls_protocol_version_t.DTLSv10
instead.
- Use
tlsMinimumSupportedProtocol
:- Is deprecated, use
TLSMinimumSupportedProtocolVersion
instead.
- Is deprecated, use