Everyone sucks at SSL
SSL/TLS validation flaws abound, you just have to look for them.
In light of MSRC 2718704, released by Microsoft in mid-June, brings to light a glaring, obvious and known problem with current SSL certificate validation and its overarching deployment and implementations across just about every enterprise in the world.
During just about every single software or service I’ve ever reviewed that uses SSL, 99% of the time I can automatically copy and paste 3 findings which I have generally been screaming into dead ears about for years.
- Lack of enterprise, software or team specific SSL certificate chain validation
- Lack of specific CNAME level SSL certificate validation
- Lack of issuer SSL certificate validation