DerScanner
Home / Vulnerability Database / C or C++ : Unsafe SSL settings
C/C++

C or C++ : Unsafe SSL settings

Classification

OWASP Mobile Top 10 2014
M3-Insufficient Transport Layer Protection
OWASP Mobile Top 10 2016
M3-Insecure Communication
OWASP MASVS
V5: 5.2.(L1/L2/L1+R/L2+R)
PCI DSS 4.0
2.2.54.2.16.2.4
HIPAA
§164.312 (e)(1)
CWE
CWE-295

Overview

The application establishes the SSL connection with insecure settings.

To establish a secure connection the application must verify that the certificate corresponds to the requested host, the certificate term has not expired, and that the chain of trust goes back to one of the set in the system trusted root certificates. Disabling any of these checks may lead to compromise of transferred data.

Insecure Communication takes the third place in the “OWASP Mobile Top 10 2016” mobile platforms vulnerabilities ranking.

References

  1. CWE-295: Improper Certificate Validation
  2. OWASP Mobile Top 10 2014: Insufficient Transport Layer Protection
  3. Using Networking Securely - developer.apple.com
  4. OWASP Mobile Top 10 2016-M3-Insecure Communication
CRITICAL

DerScanner Severity Score

Do you want to fix C or C++ : Unsafe SSL settings in your application?

See also

C/C++

C or C++ : Dead store

C/C++

C or C++ : Use after free

C/C++

C or C++ : va_list uninitialized