Michael Mimoso’s article today at Threat Post summarized a recent ACM CCS ’12 paper that examined just how well SSL certificate validation isĀ implemented in a variety of applications. (Hint: not well.)
From the paper:
“SSL certificate validation is completely broken in many critical software applications and libraries” – so broken that “any SSL connection from any of these programs is insecure against a man-in-the-middle attack” [1].
Much of the affected software the paper-writers found dealt with money – eg Amazon and Paypal. However, the worst bug award goes to Chase’s Android mobile banking app, as even some guy with an evil Wi-Fi access point can steal Chase banking credentials.
The article does an ok job of covering the paper, but it does say some silly things – like “the death knell for SSL is getting louder” [2]. The SSL protocol itself is fine. Even the libraries implementing SSL are fine [1].
Instead, the paper claims that poorly designed developer-facing SSL library APIS are at fault, as they “expose low-level details of the SSL protocol” that confuse developers. Additionally, it ignores the helpful advice section at the end of the paper for developers.
While the paper itself is solid, several readers disagreed that that whole API is at fault.
Comments left on the article’s Slashdot post [3] brought up the fact that many SSL libraries, such as OpenSSL, are poorly documented, and that the whole API might not totally be at fault. Additionally, a comment on the article further highlights that “this isn’t a problem with the SSL API” – instead, it is a “problem with the lack of a standard mechanism” for SSL certificate management – the API “provides hooks for connecting for connecting to a certificate manager instead of providing” one.
More cool stuff related to the paper can be found at Georgiev’s website under Publications here: https://www.cs.utexas.edu/~georgiev/publications.php.
[1] M. Georgiev, R. Anubhai, S. Iyengar, D. Boneh, S. Jana, V. Shamatikov. The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software. ACM CCS 2012. http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
[3] http://it.slashdot.org/story/12/10/25/2020223/ssl-holes-found-in-critical-non-browser-software