Index

Insecure TLS certificate domain name validation

Risk: medium

Description

The application does not perform proper TLS certificate validation, which makes it vulnerable to man-in-the-middle attacks.

Recommendation

TLS certificate validation is enabled by default in almost all networking libraries, review your code and configuration to make sure you have not explicitly disabled it.

Links

• Properly verify server certificate on SSL/TLS (CERT Secure Coding)

Standards

• PCI_STANDARDS:
  • REQ_2_2
  • REQ_4_2
  • REQ_11_3
• SOC2_CONTROLS:
  • CC_2_1
  • CC_4_1
  • CC_6_7
  • CC_7_1
  • CC_7_2
  • CC_7_4
  • CC_7_5
• HIPAA_CONTROLS:
  • SECURITY252
  • SECURITY212
  • SECURITY213