Thursday, November 8, 2012

SSL Certificate Validation

I quite enjoyed this recent paper: The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software

We present an in-depth study of SSL connection authentication in non-browser software, focusing on how diverse applications and libraries on Linux, Windows, Android, and iOS validate SSL server certificates. We use both white- and black- box techniques to discover vulnerabilities in validation logic. Our main conclusion is that SSL certificate validation is completely broken in many critical software applications and libraries. When presented with self-signed and third-party certificates—including a certificate issued by a legitimate authority to a domain called AllYourSSLAreBelongTo.us —they establish SSL connections and send their secrets to a man-in-the-middle attacker.

Security is interesting; there are so many different ways to get it wrong!

No comments:

Post a Comment