Failure to Check for Certificate Revocation
From Guidance Share
Contents |
[edit]
Description
If a certificate is used without first checking to ensure it was not revoked, the certificate may be compromised.
[edit]
Applies To
- Languages: Any language which does not abstract out this part of the process
- Operating platforms: All
[edit]
Example
The following code, uses a certificate:
if (!(cert = SSL_get_peer(certificate(ssl)) || !host)
... without a call to get_verify_results to check for certificate revocation.
[edit]
Impact
- Authentication: Trust may be assigned to an entity impersonating a trusted entity.
- Integrity: Data from an untrusted (and possibly malicious) source may be integrated.
- Confidentiality: Data may be disclosed to an entity impersonating a trusted entity, resulting in information disclosure.
[edit]
Vulnerabilities
- Failure to use a certificate without checking for revocation.
[edit]
Countermeasures
- Design: Ensure that certificates are checked for revoked status.
[edit]
Vulnerability Patterns
[edit]