Failure to check for certificate revocation

From OWASP
Jump to: navigation, search


Overview

If a certificate is used without first checking to ensure it was not revoked, the certificate may be compromised.

Consequences

  • Authentication: Trust may be assigned to an entity who is not who it claims to be.
  • Integrity: Data from an untrusted (and possibly malicious) source may be integrated.
  • Confidentiality: Date may be disclosed to an entity impersonating a trusted entity, resulting in information disclosure.

Exposure period

  • Design: Checks for certificate revocation should be included in the design of a system.
  • Design: One can choose to use a language which abstracts out this part of authentication and encryption.

Platform

  • Languages: Any language which does not abstract out this part of the process
  • Operating platforms: All

Required resources

Minor trust: Users must attempt to interact with the malicious system.

Severity

Medium

Likelihood of exploit

Medium

Avoidance and mitigation

  • Design: Ensure that certificates are checked for revoked status.

Discussion

The failure to check for certificate revocation is a far more serious flaw than related certificate failures. This is because the use of any revoked certificate is almost certainly malicious. The most common reason for certificate revocation is compromise of the system in question, with the result that no legitimate servers will be using a revoked certificate, unless they are sorely out of sync.

Examples

In C/C++:

if (!(cert = SSL_get_peer(certificate(ssl)) || !host)
... without a get_verify_results

Related problems

Categories