Failure to Check for Certificate Revocation

From Guidance Share

Jump to: navigation, search

Contents

Description

If a certificate is used without first checking to ensure it was not revoked, the certificate may be compromised.

Applies To

  • Languages: Any language which does not abstract out this part of the process
  • Operating platforms: All

Example

The following code, uses a certificate:

if (!(cert = SSL_get_peer(certificate(ssl)) || !host)

... without a call to get_verify_results to check for certificate revocation.

Impact

  • Authentication: Trust may be assigned to an entity impersonating a trusted entity.
  • Integrity: Data from an untrusted (and possibly malicious) source may be integrated.
  • Confidentiality: Data may be disclosed to an entity impersonating a trusted entity, resulting in information disclosure.

Vulnerabilities

  • Failure to use a certificate without checking for revocation.

Countermeasures

  • Design: Ensure that certificates are checked for revoked status.

Vulnerability Patterns

How Tos

Personal tools