Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5326

Validating SSL/TLS connections is security-sensitive

    Details

    • Message:
      Make sure that SSL/TLS connections are validated safely here
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      ABAP, APEX, C#, C, C++, Cobol, CSS, Flex, Go, HTML, Java, JavaScript, Kotlin, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Ruby, Rust, Scala, Solidity, Swift, T-SQL, TypeScript, VB.Net, VB6
    • Irrelevant for Languages:
      XML
    • Analysis Scope:
      Main Sources
    • CWE:
      CWE-295
    • OWASP:
      A6
    • SANS Top 25:
      Porous Defenses

      Description

      Validating SSL/TLS connections is security-sensitive. For example, it has led in the past to the following vulnerabilities:

      SSL/TLS protocols encrypt network connections. The server usually provides a digital certificate to prove its identity. Accepting all SSL/TLS certificates makes your application vulnerable to Man-in-the-middle attacks (MITM).

      Ask Yourself Whether

      • invalid SSL/TLS certificates are accepted automatically.
      • The user is asked to accept invalid SSL/TLS certificates.

      You are at risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      • Accept only trusted SSL/TLS certificates.
      • Do not ask users to accept unsafe connections as they are unlikely to make an informed security decision.

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-5327 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                nicolas.harraudeau Nicolas Harraudeau
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: