Insecure TLS Certificate Validation

Insecure TLS Certificate Validation

Risk: medium

Description

Insecure TLS certificate validation is a vulnerability in establishing secure connections between a client and a server. TLS (Transport Layer Security) is a cryptographic protocol that provides secure communication over the Internet. When a client connects to a server over TLS, it checks the server's digital certificate to verify its identity and ensure the connection is secure.

Insecure TLS certificate validation occurs when the client fails to properly validate the server's certificate, allowing an attacker to impersonate the server and intercept or modify the communication between the client and the server. This can lead to sensitive information being stolen, modified, or exposed.

The following are some common weaknesses in TLS certificate validation:

• Expired Certificates: A certificate that has expired is no longer considered valid. However, a client that does not check the certificate's expiration date may accept an expired certificate, which could have been revoked or compromised.

• Self-Signed Certificates: A self-signed certificate is a certificate that has been signed by the same entity that issued the certificate. Since there is no independent third party to verify the certificate's authenticity, a client that trusts a self-signed certificate could be vulnerable to a man-in-the-middle attack.

• Wrong-Host Certificates: A certificate is issued for a specific domain name or IP address. If a client connects to a server with a certificate that does not match the hostname or IP address, the client could be vulnerable to a man-in-the-middle attack.

• Untrusted Root Certificates: A root certificate is the top-level certificate in a certificate chain, and it is used to validate the authenticity of all certificates in the chain. If a client does not trust the root certificate used by the server, it may accept a fraudulent certificate that a different, untrusted root certificate has signed.

• Revoked Certificates: A certificate can be revoked if it has been compromised or is no longer considered trustworthy. A client that does not check the certificate's revocation status could accept a revoked certificate, which could be used to perform a man-in-the-middle attack.

JavaDart

import java.net.HttpURLConnection;
import java.net.URL;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import java.security.cert.X509Certificate;
import java.security.SecureRandom;

public class HttpsRequestWithoutTlsVerification {
    public static void main(String[] args) throws Exception {
        // Disable SSL/TLS verification
        TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
            public X509Certificate[] getAcceptedIssuers() { return null; }
            public void checkClientTrusted(X509Certificate[] certs, String authType) {}
            public void checkServerTrusted(X509Certificate[] certs, String authType) {}
        }};
        SSLContext sslContext = SSLContext.getInstance("TLS");
        sslContext.init(null, trustAllCerts, new SecureRandom());

        // Create connection and set SSL context
        URL url = new URL("https://example.com");
        HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
        conn.setSSLSocketFactory(sslContext.getSocketFactory());

        // Send HTTP request
        conn.setRequestMethod("GET");
        int responseCode = conn.getResponseCode();
        System.out.println("Response code: " + responseCode);
    }
}

import 'dart:io';

void main() async {
  var client = HttpClient();

  // Disable SSL certificate validation
  client.badCertificateCallback = (X509Certificate cert, String host, int port) => true;

  // Make HTTP request
  var request = await client.getUrl(Uri.parse('https://example.com'));
  var response = await request.close();
  print('Response code: ${response.statusCode}');
  client.close();
}

Recommendation

To mitigate the risk of insecure TLS certificate validation, it is recommended that the application implements secure certificate validation mechanisms on both the client and the server. This includes:

• Checking the validity of the server's certificate to ensure that it has not expired, has not been revoked, and is issued by a trusted certificate authority.
• Configuring the hostname verification to ensure the certificate matches the server's domain name to prevent accepting certificates with invalid hostnames.
• Using trusted certificate authorities and avoiding self-signed certificates or untrusted root certificates.

Additionally, it is important to keep the application and any libraries or frameworks used up-to-date with the latest security patches and to regularly test the application's security posture to identify any vulnerabilities that may exist.

Links

• Properly verify server certificate on SSL/TLS (CERT Secure Coding)
• OWASP: Testing for SSL-TLS OWASP

Standards

• PCI_STANDARDS:
  • REQ_2_2
  • REQ_4_2
  • REQ_6_2
  • REQ_6_3
  • REQ_6_4
  • REQ_11_3