In association with heise online

14 November 2007, 14:26

Ruby applications accept arbitrary SSL certificates

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Security services provider iSEC has revealed a vulnerability in the Net::HTTPS module in the Ruby scripting language. Applications which use this module could be vulnerable to man-in-the-middle attacks. According to the security advisory, although the module does check whether a certificate is generally valid, it does not check the common name (CN), i.e. that the server name on the certificate matches the origin of the relevant page. An attacker could therefore use an arbitrary valid certificate issued by a public CA to infiltrate a connection using a MITM attack.

Apparently, the problem results from the connect method in the http.rb file failing to call the post_connection_check function after negotiating an SSL connection. The net::ftptls, net::telnets and net::imap modules, and the CVS versions of net::pop and net::smtp are also affected by this problem.

The bugs are present in all 1.8.x versions and in development version 1.9 prior to 23rd Sept. 2006. Updating to version 1.8.6 -p111 or 1.8.5-p114 (GZIP files) fixes the problem. The official security advisory on also recommends setting the option http.enable_post_connection_check = true to activate post connection checking. Red Hat has already released a package in which the bug has been fixed. This package also fixes a DoS vulnerability. Other Linux distributors are likely to follow suit shortly.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit