Authors: M. Georgiev,
S. Iyengar,
S. Jana,
R. Anubhai,
D. Boneh, and
V. Shmatikov
SSL is a common standard
used by Internet community for secure communication. Now a days SSL
provides a critical role in many application like banking, sensitive
data transfer etc. The core concepts of of SSL depends on the
certificate provided by the server during the initial connection
establishment. This paper reveals the security flows in many security
critical application and libraries due to the improper use of SSL
functions. Many of these vulnerability is due to the badly designed
APIs in SSL data transport implementation. Most of SSL
implementation APIs expose the low level details to application
programmers. The common application developers are unaware of options
and other parameters in SSL implementation. These leads to the
incorrect use of SSL functionality in the application.
Chain-of-trust
verification and Host name verification are the two important steps
in SSL handshake. This paper give a detailed analysis on this area
based on some commonly used libraries and APIs. OpenSSL and JSSE are
the most commonly used libraries for SSL abstraction. But both
libraries are only covered certification verification part of SSL
handshake. Application programmers are need to implement host name
verification part by themselves on their application. The
non-standard use of these functionality introduce serious
vulnerability in SSL communication. Data transport libraries like
cURL and Apache httpclient also use the same libraries to achieve SSL
capability. SSL tunels are widely used non-browser environment like
Cloud Client API, Merchant payment SDK, Web servicing middle ware
etc. These applications are security critical because of the nature
of data they are handling . Paper also present a experiment conducted
based on the vulnerability found on basic libraries and APIs. They
are succeeded to perform man-in the middle attack in many
application including Amazone Flexible Paymant Gateway,Lynx,Paypal
IPN etc.
These paper tries to
convey a warning to application developers and APIs Developers. APIs
developers must wrap the basic functionality of underlaying system
and application developers must study the APIs functionality and
options before using them.