Paper Review:- The most dangerous code in the world: validating SSL certificates in non-browser software

Authors: M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov

SSL is a common standard used by Internet community for secure communication. Now a days SSL provides a critical role in many application like banking, sensitive data transfer etc. The core concepts of of SSL depends on the certificate provided by the server during the initial connection establishment. This paper reveals the security flows in many security critical application and libraries due to the improper use of SSL functions. Many of these vulnerability is due to the badly designed APIs in SSL data transport implementation. Most of SSL implementation APIs expose the low level details to application programmers. The common application developers are unaware of options and other parameters in SSL implementation. These leads to the incorrect use of SSL functionality in the application.

Chain-of-trust verification and Host name verification are the two important steps in SSL handshake. This paper give a detailed analysis on this area based on some commonly used libraries and APIs. OpenSSL and JSSE are the most commonly used libraries for SSL abstraction. But both libraries are only covered certification verification part of SSL handshake. Application programmers are need to implement host name verification part by themselves on their application. The non-standard use of these functionality introduce serious vulnerability in SSL communication. Data transport libraries like cURL and Apache httpclient also use the same libraries to achieve SSL capability. SSL tunels are widely used non-browser environment like Cloud Client API, Merchant payment SDK, Web servicing middle ware etc. These applications are security critical because of the nature of data they are handling . Paper also present a experiment conducted based on the vulnerability found on basic libraries and APIs. They are succeeded to perform man-in the middle attack in many application including Amazone Flexible Paymant Gateway,Lynx,Paypal IPN etc.

These paper tries to convey a warning to application developers and APIs Developers. APIs developers must wrap the basic functionality of underlaying system and application developers must study the APIs functionality and options before using them.