Skip to main content

Insecure Network Communication

Fixing Certificate Validation

About Certificate Validation

What is Improper Certificate Validation?

Improper certificate validation refers to a security vulnerability where a system fails to properly verify the authenticity of a digital certificate presented by a remote party during a communication. This can lead to the acceptance of forged or malicious certificates, allowing attackers to perform various attacks such as man-in-the-middle attacks or impersonation attacks.

Proper certificate validation is crucial for maintaining the security of SSL/TLS encrypted communication and ensuring the confidentiality, integrity, and authenticity of data exchanged over the network.

Check out these videos for a high-level explanation:

  • Weak certificate validation

  • Improper certificate pinning

What is the impact of Improper Certificate Validation?

Improper certificate validation can lead to a range of security threats, including:

  • Man-in-the-middle attacks: Attackers can intercept communication between two parties and read or modify the data exchanged between them.
  • Data breaches: Attackers can gain unauthorized access to sensitive information or sensitive systems, leading to data breaches.
  • Malware distribution: Attackers can use fake digital certificates to distribute malicious software or infect systems with malware.

Overall, improper certificate validation can undermine the security of encrypted communication and compromise the confidentiality, integrity, and authenticity of data exchanged over the network.

How to prevent Improper Certificate Validation?

To prevent improper certificate validation, it is important to follow security best practices, such as:

  • Use trusted certificate authorities: Only trust digital certificates issued by well-known and trusted certificate authorities.
  • Verify certificate chains: Verify that the certificate presented by the remote party is valid and issued by a trusted certificate authority. Verify the entire certificate chain, including intermediate certificates.
  • Check certificate revocation status: Check the revocation status of the certificate presented by the remote party to ensure that it has not been revoked.
  • Use certificate pinning: Implement certificate pinning to ensure that the communication only occurs with the exact certificate or certificate authority specified.
  • Keep software up to date: Keep software and security protocols up to date, as new vulnerabilities and security patches are regularly released.

Overall, proper certificate validation is crucial for maintaining the security of encrypted communication, and following these best practices can help prevent improper certificate validation and mitigate related security risks.

References

Taxonomies

Explanation & Prevention

Training

SSL Certificate verification of curl is disabled

The rule detects the use of SSL_VERIFYPEER option set to 0, or false in the node-curl and node-libcurl library.

This setting disables verification of the peer's SSL certificate, which poses a potential security risk by allowing for the possibility of a man-in-the-middle (MitM) attack. The attacker can present a false SSL certificate to the client, which would then be accepted if the peer's SSL certificate is not verified. This would allow him to intercept and modify data exchanged between the client and server, potentially compromising sensitive information or executing unauthorized actions.

It is recommended to set SSL_VERIFYPEER to 1, or true, and to properly configure the trusted Certificate Authority (CA) certificates for secure SSL/TLS connections.

Specific references:

Option A: Enabling SSL_VERIFYPEER (using node-libcurl Curl)

  1. Go through the issues that GuardRails identified in the PR, for a pattern similar to the following:

    const { Curl } = require('node-libcurl');

    const curl = new Curl();

    // Insecure example
    curl.setOpt(Curl.option.SSL_VERIFYPEER, false);

    // This is also insecure
    curl.setOpt('SSL_VERIFYPEER', 0);

  2. Set SSL_VERIFYPEER to true (or 1).

    const { Curl } = require('node-libcurl');

    const curl = new Curl();

    // Secure example
    curl.setOpt(Curl.option.SSL_VERIFYPEER, true);

    // Fix for the other insecure example
    curl.setOpt('SSL_VERIFYPEER', 1);

  3. Test it

  4. Ship it 🚢 and relax 🌴

Option B: Enabling SSL_VERIFYPEER (using node-libcurl Easy)

  1. Go through the issues that GuardRails identified in the PR, for a pattern similar to the following:

    const { Easy } = require('node-libcurl');

    const handle = new Easy();

    // Insecure example
    handle.setOpt('SSL_VERIFYPEER', false);

  2. Set SSL_VERIFYPEER to true.

    const { Easy } = require('node-libcurl');

    const handle = new Easy();

    // Secure example
    handle.setOpt('SSL_VERIFYPEER', true);

  3. Test it

  4. Ship it 🚢 and relax 🌴

Option C: Enabling SSL_VERIFYPEER (using node-curl)

  1. Go through the issues that GuardRails identified in the PR, for a pattern similar to the following:

    const { curl } = require('node-curl');
    const url = "https://www.guardrails.io/";

    // Insecure example
    curl(url, {SSL_VERIFYPEER: 0});

  2. Set SSL_VERIFYPEER to 1

    const { curl } = require('node-curl');
    const url = "https://www.guardrails.io/";

    // Secure example
    curl(url, {SSL_VERIFYPEER: 1});

  3. Test it

  4. Ship it 🚢 and relax 🌴

Last updated on by Stefan Streichsbier