Insecure TLS certificate validation (accept self-signed certificate)
Insecure TLS certificate validation (accept self-signed certificate)
Description
The application accepts self-signed certificates making it vulnerable to man-in-the-middle (MITM) attacks.
Recommendation
An invalid or malicious certificate might allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. For example, the software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that originates from a trusted host.
Links
Standards
- PCI_STANDARDS:
- REQ_2_2
- REQ_4_2
- REQ_11_3