Abstract:
Server identity verification is disabled when making SSL connections. In some libraries that use SSL connections, the server certificate is not verified by default. This is equivalent to trusting all certificates. In other instances, this is can be explicitly disabled, whether by intention or not.
Explanation:
In some libraries that use SSL connections, the server certificate is not verified by default. This is equivalent to trusting all certificates. In other instances, this is can be explicitly disabled, whether by intention or not.
Example 1: This application always verifies that the certificate chain is correct, thereby trusting all certificates.
...
private bool CertificateCheck(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
...
return true;
}
...
HttpWebRequest webRequest = (HttpWebRequest) WebRequest.Create("https://www.trustedsite.com");
webRequest.ServerCertificateValidationCallback = CertificateCheck;
WebResponse response = webRequest.GetResponse();
...
When trying to connect to "https://www.trustedsite.com", this application would readily accept a certificate issued to "hackedserver.com". The application would now potentially leak sensitive user information on a broken SSL connection to the hacked server.
Recommendations:
Do not forget proper server verification checks when making SSL connections. Depending on the library used, make sure to verify server identity and establish a secure SSL connection.
Example 2: This application does explicitly verify the server certificate.
...
private bool CertificateCheck(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
//some logic that verifies a certificate is correct
return cert.GetCertHashString() == MyValidCertificateHash;
}
...
HttpWebRequest webRequest = (HttpWebRequest) WebRequest.Create("https://www.trustedsite.com");
webRequest.ServerCertificateValidationCallback = CertificateCheck;
WebResponse response = webRequest.GetResponse();
...
Example 3: This application uses builtin certificate checking instead of custom validation.
...
HttpWebRequest webRequest = (HttpWebRequest) WebRequest.Create("https://www.trustedsite.com");
// don't specify a validation callback, or explicitly set it to null
WebResponse response = webRequest.GetResponse();
...
0 comments:
Post a Comment