A simple experiment carried out by Web security vendor Sucuri highlights that four years after the release of a groundbreaking study on the state of SSL/TLS certificates in non-browser applications, some programming languages fail to provide developers with the appropriate tools to validate certificates.
Back in 2012, a team of scientists led by Martin Georgiev from the University of Texas revealed that various API clients written in PHP, Python or Java failed to verify certificates correctly, mostly because the underlying languages did not include the proper tools to do so.
The research paper, called " The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software ," is even relevant today, and showcases that simple MitM attacks can be launched on API infrastructure and be successful in intercepting HTTPS traffic.
Since this traffic is never sent to the browser directly, but only its data, the user, of an app or Web service, never knows that sensitive information is exposed to attacks.
PHP and Python implemented fixes
After the paper was released, some issues regarding SSL/TLS verifications were fixed in some programming languages, and more precisely in PHP with version 5.6, and in Python with versions 3.4.3 and 2.7.9.
Revisiting this research four years later, Sucuri’s security experts created a series of test scripts , in PHP, Python, and Go, that connected to a list of known HTTPS servers, and logged their results to see which ones detected any problems.
The results, pictured below, show that even newer versions of these programming languages have problems in correctly determining the state of an SSL/TLS certificate and shutting down connections if deemed unsafe.
Programming interfaces have a hard time detecting revoked certificates
All the tested configurations, even in the newer Go programming language, failed to detect revoked certificates, which open the door for all kinds of problems.
"PHP, Python, and Google Go perform no revocation checks by default, neither does the cURL library. If the certificate was compromised and revoked by the owner, you will never know about it," noted Sucuri’s Peter Kankowski.
"Writing your own revocation check code is hardly realistic," Kankowski also explained . "You would need a skilled cryptographer for this task."
The simplest fix for this matter is to upgrade to the latest version of those programming languages and always keep it that way. Additionally, server owners should consistently use services like BadSSL.com to test any APIs they’re interacting with, in order to prevent sending data via unsecured communication channels.
Sucuri test results
转载本站任何文章请注明：转载至神刀安全网，谢谢神刀安全网 » PHP, Python and Google Go Fail to Detect Revoked TLS Certificates