SSL connection uses insecure settings. The established connection is insecure and can cause a compromise of valuable data.

InsecureSkipVerify controls whether a client verifies the server’s certificate chain and host name. If InsecureSkipVerify is true, TLS accepts any certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to man-in-the-middle attacks. This should be used only for testing.

KeyLogWriter specifies the destination for storing TLS secrets in NSS log format, which can be used for external programs, such as Wireshark, to decrypt TLS connections. KeyLogWriter compromises security and should only be used for debugging.

The SSLv2, SSLv23, and SSLv3 protocols contain several flaws that make them insecure, so they should not be used to transmit sensitive data. The Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols provide a protection mechanism to ensure the authenticity, confidentiality and integrity of data transmitted between a client and web server. Both TLS and SSL have undergone revisions resulting in periodic version updates. Each new revision was designed to address the security weaknesses discovered in the previous versions. Use of an insecure version of TLS/SSL will weaken the strength of the data protection and could allow an attacker to compromise, steal, or modify sensitive information.

Weak versions of TLS/SSL may exhibit one or more of the following properties:

No protection against man-in-the-middle attacks
Same key used for authentication and encryption
Weak message authentication control
No protection against TCP connection closing

The presence of these properties may allow an attacker to intercept, modify, or tamper with sensitive data.

To set the parameters of SSL connection, constants that denote the cipher suite are used. Many cipher suits are insecure, obsolete or artificially weakened due to export restrictions. Examples of several cipher suites recommended by IANA in the TLS parameters documentation:

TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256
TLS_DHE_PSK_WITH_AES_256_CCM
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
TLS_DHE_PSK_WITH_AES_128_GCM_SHA256

Go : Unsafe SSL configuration

DerScanner Severity Score

Do you want to fix Go : Unsafe SSL configuration in your application?

See also