Spotting the Sin Pattern

Previous page
Table of content
Next page

There are a couple of basic patterns to watch out for; the first covers the most damning failure of not performing certificate validation properly:

  • SSL or TLS is used, and

  • HTTPS is not used, and

  • The library or client application code fails to check whether the server certificate is endorsed by a known CA, or

  • The library or client application code fails to validate the specific data within the server certificate.

When the application cant cross this bar, the certificate revocation problem is essentially irrelevant because there are much bigger problems than stolen credentials.

If your application gets the basics right, then heres the pattern for CRL issues:

  • SSL or TLS is used, and

  • No attempt is made to ensure that the servers private key hasnt been stolen, or that the certificate was otherwise revoked .


Previous page
Table of content
Next page
19 Deadly Sins of Software Security. Programming Flaws and How to Fix Them
Writing Secure Code
ISBN: 71626751
EAN: 2147483647
Year: 2003
Pages: 239
Authors: Michael Howard, David LeBlanc
BUY ON AMAZON
Software Configuration Management
Developing Tablet PC Applications (Charles River Media Programming)
Visual C# 2005 How to Program (2nd Edition)
Google Maps Hacks: Tips & Tools for Geographic Searching and Remixing
InDesign Type: Professional Typography with Adobe InDesign CS2
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy