Difference between revisions of "Failure to check for certificate revocation"
|Line 1:||Line 1:|
|Line 70:||Line 69:|
Revision as of 13:03, 16 May 2006
If a certificate is used without first checking to ensure it was not revoked, the certificate may be compromised.
- Authentication: Trust may be assigned to an entity who is not who it claims to be.
- Integrity: Data from an untrusted (and possibly malicious) source may be integrated.
- Confidentiality: Date may be disclosed to an entity impersonating a trusted entity, resulting in information disclosure.
- Design: Checks for certificate revocation should be included in the design of a system.
- Design: One can choose to use a language which abstracts out this part of authentication and encryption.
- Languages: Any language which does not abstract out this part of the process
- Operating platforms: All
Minor trust: Users must attempt to interact with the malicious system.
Likelihood of exploit
Avoidance and mitigation
- Design: Ensure that certificates are checked for revoked status.
The failure to check for certificate revocation is a far more serious flaw than related certificate failures. This is because the use of any revoked certificate is almost certainly malicious. The most common reason for certificate revocation is compromise of the system in question, with the result that no legitimate servers will be using a revoked certificate, unless they are sorely out of sync.
if (!(cert = SSL_get_peer(certificate(ssl)) || !host) ... without a get_verify_results