The class that is used for the certificate validation can contain trivial methods. This can lead to a loss of confidentiality of the data transferred via SSL / TSL protocols.

While establishing a protected connection (handshake), a server sends its public key and certificate, which are a cryptographic proof that the public key belongs to the owner of the server, to the client. The authenticity of certificates is provided by Certification Authority.

Even if the methods of the redefined method are not trivial, their implementation is likely to contain mistakes leading to the same consequences.

A possible attack scenario:

The attacker enters the user’s WLAN and redirects the user’s traffic through the attacker’s server (for example, via DNS cache poisoning).
The user initiates a connection to https://safeserver.example.com.via an SSL / TLS protocol through the application.
The attacker sends his/her own public key and a self-signed certificate generated by him/herself for the https://safeserver.example.com.domain to the application .
The application verifies that the received certificate matches the requested domain, ignoring the fact that the received certificate is self-signed.

Insufficient Transport Layer Protection vulnerabilities take the third place in the “OWASP Mobile Top 2014” mobile platforms vulnerabilities ranking.

C-sharp : Unsafe custom SSL implementation

DerScanner Severity Score

Do you want to fix C-sharp : Unsafe custom SSL implementation in your application?

See also