SSL Vulnerability in ******** VU#582497

Question

Recently received a warning letter that my application security threatened.

  ---------- Forwarded message ----------
    From: CERT Coordination Center 

        

Answer 1

Can anyone suggest on this issue. What is my fault?

You effectively disable any kind of authentication built into TLS. An attacker can thus easily mount a man-in-the-middle attack or a phishing attack, that is listen to and manipulate the encrypted traffic or claim to be the real server.

Such can usually easy be done with ARP or DHCP spoofing inside the local LAN or a public WLAN, so the problem described is not a theoretical but a real problem.

In detail:

        TrustManager[] trustManagerArray = {new NullX509TrustManager()};
        sslc.init(null, trustManagerArray, null);

Here you disable the check if the certificate is signed by a trusted CA. The attacker can now use any self-signed certificate or a certificate signed by an untrusted CA instead of the real one.

        HttpsURLConnection.setDefaultHostnameVerifier(new NullHostnameVerifier());

Here you disable the check to verify the hostname inside the certificate against the host you want to access. Example:

• the site you want to access is super-secure.example and you bought a certificate for it
• the attacker has the site attacker.example and bought a certificate for it

Usually the client will verify that the name in the certificate matches the name the client connected to. But you explicitly disabled this check with the code above and thus the attackers certificate gets accepted.

You main fault is probably that you just copied some code from somewhere without understanding what it does. Bad idea in any case, but especially for anything related to security.