SSL certificates and "the most dangerous code in the world"
Many programs that use encryption are not secure, according to researchers at the University of Texas at Austin and Stanford University. The researchers found that a number of e-commerce web applications, well-known instant messaging clients such as Trillian and AIM, and a long list of cloud services use ineffective encryption. They say that the libraries used for encryption are the main culprit.
SSL is the de facto standard for secure, encrypted internet connections, but that security requires that a program validates the receiver's identity, specifically its SSL certificate. This is exactly where the researchers see a problem: in their study "The Most Dangerous Code in the World: Validating SSL Certiﬁcates in Non-Browser Software", they say that "SSL certificate validation is completely broken in many security-critical applications and libraries".
In applications that aren't written for browsers, SSL is generally implemented using SSL libraries such as JSSE, OpenSSL and GnuTLS; data-transport libraries such as cURL may also be used on occasion. But, the researchers say, the interfaces of these libraries are "badly designed" and offer a confusing array of options and settings that clearly overwhelm a lot of developers.
The research team conducted targeted man-in-the-middle attacks, presenting applications with three kinds of bogus certificates: a self-signed certificate with the correct name, a self-signed certificate with a random name and a certificate that was from a legitimate authority but issued to the domain
AllYourSSLAreBelongto.us – hardly the correct domain. All three certificates managed to find trusting victims that accepted them.
The researchers found these bugs in almost all kinds of applications, from messaging clients to critical business applications that transmit sensitive customer data via services like PayPal and Amazon Flexible Payments Service (FPS). Chase Bank's Android banking app proved to be vulnerable, as did Rackspace's iOS app for managing resources in the cloud. Another study also recently came to the conclusion that encryption is less than ideal in many Android apps.
To improve the situation, the researchers don't believe that it is enough to simply blame the programs' developers – instead, they call on library authors in particular to provide simpler and more consistent error reporting interfaces. In addition, they say, there are currently very few sensible ways to test programs that use SSL.