Sunday, November 19, 2017
Home / Security / Exploits / SSL Vulnerabilities discovered in Non-Browser Software Packages

SSL Vulnerabilities discovered in Non-Browser Software Packages

Researchers at the University of Texas at Austin and Stanford have revealed that poorly designed APIs utilized in SSL implementations are to fault for vulnerabilities in many vital non-browser software packages.

The research team said a number of factors contribute to the poor security of SSL implementations: a lack of testing for vulnerabilities during development; unsecure SSL libraries by default; misuse or misinterpretation of security options in secure libraries by developers; SSL vulnerabilities are often not present on the application layer, but in middleware—out of a developers’ purview; and some cases where developers deliberately turn off validation.

The researchers point out that the SSL libraries (JSSE, OpenSSL, GnuTLS and others) are often correct, but developers misunderstand the security options, parameters and return values.

By incorrectly setting a return value in Amazon’s Flexible Payments Service PHP library, for example, a developer can accidently turn off certificate validation functionality.

PayPal Payments Standard PHP library contains the same bug, the researchers said.

“SSL certificate validation is completely broken in many critical software applications and libraries,” the report concluded.

Cross-posted: http://threatpost.com

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

Amazon hacked – hacker leaks 80,000 login credentials

A hacker going by the name 0x2Taylor has said to have breached the servers of …