-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathUnsafeHostnameVerification.qhelp
More file actions
45 lines (40 loc) · 2.43 KB
/
UnsafeHostnameVerification.qhelp
File metadata and controls
45 lines (40 loc) · 2.43 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
If a <code>HostnameVerifier</code> always returns <code>true</code> it will not verify the hostname at all.
This allows an attacker to perform a Man-in-the-middle attack against the application therefore breaking any security Transport Layer Security (TLS) gives.
An attack would look like this:
1. The program connects to <code>https://example.com</code>.
2. The attacker intercepts this connection and presents one of their valid certificates they control, for example one from Let's Encrypt.
3. Java verifies that the certificate has been issued by a trusted certificate authority.
4. Java verifies that the certificate has been issued for the host <code>example.com</code>, which will fail because the certificate has been issued for <code>malicious.domain</code>.
5. Java wants to reject the certificate because the hostname does not match. Before doing this it checks whether there exists a <code>HostnameVerifier</code>.
6. Your <code>HostnameVerifier</code> is called which returns <code>true</code> for any certificate so also for this one.
7. Java proceeds with the connection since your <code>HostnameVerifier</code> accepted it.
8. The attacker can now read the data your program sends to <code>https://example.com</code> and/or alter its replies while the program thinks the connection is secure.
</p>
</overview>
<recommendation>
<p>
Do not use an open <code>HostnameVerifier</code>.
</p>
<li>If you use an open verifier to solve a configuration problem with TLS/HTTPS you should solve the configuration problem instead.
</li>
</recommendation>
<example>
<p>
In the first (bad) example, the <code>HostnameVerifier</code> always returns <code>true</code>.
This allows an attacker to perform a man-in-the-middle attack, because any certificate is accepted despite an incorrect hostname.
In the second (good) example, the <code>HostnameVerifier</code> only returns <code>true</code> when the certificate has been correctly checked.
</p>
<sample src="UnsafeHostnameVerification.java" />
</example>
<references>
<li><a href="https://developer.android.com/training/articles/security-ssl">Android Security Guide for TLS/HTTPS</a>.</li>
<li><a href="https://tersesystems.com/blog/2014/03/23/fixing-hostname-verification/">Further Information on Hostname Verification</a>.</li>
<li>OWASP: <a href="https://cwe.mitre.org/data/definitions/297.html">CWE-297</a>.</li>
</references>
</qhelp>