Insecure Network Communication

Fixing Certificate Validation

About Certificate Validation

What is Improper Certificate Validation?

Improper certificate validation refers to a security vulnerability where a system fails to properly verify the authenticity of a digital certificate presented by a remote party during a communication. This can lead to the acceptance of forged or malicious certificates, allowing attackers to perform various attacks such as man-in-the-middle attacks or impersonation attacks.

Proper certificate validation is crucial for maintaining the security of SSL/TLS encrypted communication and ensuring the confidentiality, integrity, and authenticity of data exchanged over the network.

Check out these videos for a high-level explanation:

• Weak certificate validation

• Improper certificate pinning

What is the impact of Improper Certificate Validation?

Improper certificate validation can lead to a range of security threats, including:

• Man-in-the-middle attacks: Attackers can intercept communication between two parties and read or modify the data exchanged between them.
• Data breaches: Attackers can gain unauthorized access to sensitive information or sensitive systems, leading to data breaches.
• Malware distribution: Attackers can use fake digital certificates to distribute malicious software or infect systems with malware.

Overall, improper certificate validation can undermine the security of encrypted communication and compromise the confidentiality, integrity, and authenticity of data exchanged over the network.

How to prevent Improper Certificate Validation?

To prevent improper certificate validation, it is important to follow security best practices, such as:

• Use trusted certificate authorities: Only trust digital certificates issued by well-known and trusted certificate authorities.
• Verify certificate chains: Verify that the certificate presented by the remote party is valid and issued by a trusted certificate authority. Verify the entire certificate chain, including intermediate certificates.
• Check certificate revocation status: Check the revocation status of the certificate presented by the remote party to ensure that it has not been revoked.
• Use certificate pinning: Implement certificate pinning to ensure that the communication only occurs with the exact certificate or certificate authority specified.
• Keep software up to date: Keep software and security protocols up to date, as new vulnerabilities and security patches are regularly released.

Overall, proper certificate validation is crucial for maintaining the security of encrypted communication, and following these best practices can help prevent improper certificate validation and mitigate related security risks.

References

Taxonomies

• OWASP Top 10 - A07 Identification and Authentication Failures
• CWE-295: Improper Certificate Validation

Explanation & Prevention

• OWASP: Transport Layer Protection Cheat Sheet
• OWASP: Certificate and Public Key Pinning
• WASC-04: Insufficient Transport Layer Protection
• The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software
• OpenSSL Hostname Validation documentation

Related CVEs

• CVE Details: CWE-295

Training

• Secure Code Warrior: Weak Certificate Validation
• Secure Code Warrior: Improper Certificate Pinning Configuration
• Secure Code Warrior: Trusting Self-Signed Or Untrusted Certificates

Option A: Properly Set SSL Verification

1. Go through the issues that GuardRails identified in the PR/MR

2. Replace OpenSSL::SSL::VERIFY_NONE:

   http.verify_mode = OpenSSL::SSL::VERIFY_NONE

   with OpenSSL::SSL::VERIFY_PEER:

   # Ensure that you have a valid certificate, otherwise this will raise
   # an OpenSSL::SSL::SSLError.
   # get free certificates at https://letsencrypt.org/
   http.verify_mode = OpenSSL::SSL::VERIFY_PEER

3. Test it

4. Ship it 🚢 and relax 🌴

Fixing Cleartext Transmission

About Cleartext Transmission

What is Cleartext Transmission?

Cleartext transmission, also known as plaintext transmission, refers to the process of transmitting data over a network or communication channel without encryption or other security measures that protect the data from interception or unauthorized access.

In cleartext transmission, the data is transmitted in plain, human-readable format, which means that anyone who has access to the communication channel can read, intercept, or modify the data without any difficulty.

Cleartext transmission can occur in various communication protocols, such as HTTP, FTP, SMTP, and Telnet, and can affect various types of data, such as login credentials, credit card information, personal data, and other types of sensitive information.

Check out these videos for a high-level explanation:

• Communication over cleartext protocol

• Unprotected transport of sensitive information

• Unprotected transport of credentials

What is the impact of Cleartext Transmission?

Cleartext transmission can lead to various security threats and risks, such as:

• Information disclosure: Cleartext transmission can expose sensitive or confidential information to unauthorized parties, such as passwords, credit card numbers, personal data, or other types of sensitive information.
• Man-in-the-middle attacks: Cleartext transmission can be intercepted by attackers who can eavesdrop on the communication channel, modify or steal the data, or impersonate the parties involved in the communication.
• Identity theft: Cleartext transmission can lead to identity theft, where attackers can use stolen personal data to assume the identity of victims and perform various malicious activities, such as financial fraud or unauthorized access to systems.
• Data tampering: Cleartext transmission can allow attackers to modify or inject false data into the communication channel, leading to data tampering, data corruption, or other types of malicious activities.

How to prevent Cleartext Transmission?

To prevent cleartext transmission, you can take the following steps:

• Use encryption: Encrypt sensitive data before transmitting it over any communication channel. Use encryption protocols such as SSL/TLS or HTTPS to ensure that data is encrypted in transit.
• Secure communication channels: Use secure communication channels such as SFTP, SSH, or VPNs to transmit sensitive data. These protocols provide encryption and authentication, which can help prevent unauthorized access and eavesdropping.
• Disable cleartext protocols: Disable cleartext protocols such as HTTP or FTP, and use only encrypted protocols such as HTTPS or SFTP to transmit sensitive data.
• Implement data validation: Implement data validation mechanisms to ensure that only valid data is transmitted. Validate user input and filter out any sensitive data before transmitting it.

References

Taxonomies

• OWASP Top 10 - A02 Cryptographic Failures
• CWE-319: Cleartext Transmission of Sensitive Information

Related CVEs

• CVE Details: CWE-319

Training

• Secure Code Warrior: Communication Over Cleartext Protocol
• Secure Code Warrior: Unprotected Transport of Credentials
• Secure Code Warrior: Unprotected Transport of Sensitive Information

Option A: Use secure source URLs

Solution-specific resources:

• Gemfile - insecure source usage

1. Go through the issues that GuardRails identified in the PR/MR

2. Replace instances of source :XXXXXX:

   source :rubygems

   with the explicit secure URL like

   source 'https://rubygems.org'

3. Test it

4. Ship it 🚢 and relax 🌴