Home > Tech > Everyone sucks at SSL

Everyone sucks at SSL

SSL/TLS validation flaws abound, you just have to look for them.

http://www.casaba.com/blog/2013/03/everyone-sucks-at-ssl-part-1/

In light of MSRC 2718704, released by Microsoft in mid-June, brings to light a glaring, obvious and known problem with current SSL certificate validation and its overarching deployment and implementations across just about every enterprise in the world.

During just about every single software or service I’ve ever reviewed that uses SSL, 99% of the time I can automatically copy and paste 3 findings which I have generally been screaming into dead ears about for years.

  • Lack of enterprise, software or team specific SSL certificate chain validation
  • Lack of specific CNAME level SSL certificate validation
  • Lack of issuer SSL certificate validation
Advertisements
Categories: Tech
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s