Why is this an issue?

Validation of X.509 certificates is essential to create secure SSL/TLS sessions not vulnerable to man-in-the-middle attacks.

The certificate chain validation includes these steps:

• The certificate is issued by its parent Certificate Authority or the root CA trusted by the system.
• Each CA is allowed to issue certificates.
• Each certificate in the chain is not expired.

It’s not recommended to reinvent the wheel by implementing custom certificate chain validation.

TLS libraries provide built-in certificate validation functions that should be used.

Noncompliant code example

HTTP request tools such as curl, wget and Invoke-WebRequest offer the option to disable certificate verification. The following example successfully requests data from a server with an insecure certificate. Thus, it is possible that the response was intercepted or tampered with by a third party.

FROM ubuntu:22.04

# Noncompliant
RUN curl --insecure -O https://expired.example.com/downloads/install.sh

Compliant solution

Enabling certificate verification helps to make sure that the created TLS session is secure and cannot be intercepted. In this example, the option to disable certificate verification is removed, and a request is made to a secure server instead.

FROM ubuntu:22.04

RUN curl -O https://new.example.com/downloads/install.sh

Resources

• OWASP Top 10 2021 Category A2 - Cryptographic Failures
• OWASP Top 10 2021 Category A5 - Security Misconfiguration
• OWASP Top 10 2021 Category A7 - Identification and Authentication Failures
• OWASP Top 10 2017 Category A3 - Sensitive Data Exposure
• OWASP Top 10 2017 Category A6 - Security Misconfiguration
• Mobile AppSec Verification Standard - Network Communication Requirements
• OWASP Mobile Top 10 2016 Category M3 - Insecure Communication
• MITRE, CWE-295 - Improper Certificate Validation