This is an interesting paper covering libraries that do the validation of SSL certifications, arguably one of the most fundamental piece of digital security today.
This paper shows unclear syntax and insecure defaults of common SSL libraries such as OpenSSL, JSSE and GnuTLS have led to faulty ssl verification in non-browser software. This covers everything from Amazon’s EC2 library to PayPal’s merchant SDK.
For example, in php, setting CURLOPT_SSL_VERIFYHOST to true actually disables certification verification. This is because this method takes in an integer as an argument, where setting it to 1 just checks for a common name in the SSL peer certificate and setting it to 2 actually enables verification. The confusion comes from the fact that most CURLOPT_* commands take a boolean but in this case, a boolean will be translated to a 1 which will cause insecure behavior.
This paper makes the (justified) statement that SSL libraries expose too many interfaces and delegate too much responsibility to the application to handle the SSL connection. Programmers, even one’s well versed in SSL nuisances, are likely to miss something in the configuration and thus expose customers to man in the middle attacks by not truly verifying SSL.
I think this would make a good paper in next years class and is a cool example of security weakness that arise of over complicated systems/apis.