DerScanner
Home / Vulnerability Database / Go : Unsafe SSL configuration
Go

Go : Unsafe SSL configuration

Classification

OWASP Top 10 2013
A6-Sensitive Data Exposure
OWASP Mobile Top 10 2016
M2-Insecure Data StorageM3-Insecure CommunicationM5-Insufficient Cryptography
OWASP Top 10 2017
A3-Sensitive Data ExposureA6-Security Misconfiguration
OWASP Top 10 2021
A2-Cryptographic FailuresA4-Insecure DesignA5-Security MisconfigurationA8-Software and Data Integrity Failures
OWASP MASVS
V5: 5.2.(L1/L2/L1+R/L2+R)
OWASP ASVS
CommunicationCommunicationStored Cryptography
PCI DSS 4.0
4.2.16.2.4
HIPAA
§164.312 (e)(1)
CWE
CWE-200CWE-319CWE-345CWE-359CWE-656CWE-693CWE-757CWE-1032
CWE/SANS Top 25 2021
CWE-200

Overview

SSL connection uses insecure settings. The established connection is insecure and can cause a compromise of valuable data.

InsecureSkipVerify controls whether a client verifies the server’s certificate chain and host name. If InsecureSkipVerify is true, TLS accepts any certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to man-in-the-middle attacks. This should be used only for testing.

KeyLogWriter specifies the destination for storing TLS secrets in NSS log format, which can be used for external programs, such as Wireshark, to decrypt TLS connections. KeyLogWriter compromises security and should only be used for debugging.

The SSLv2, SSLv23, and SSLv3 protocols contain several flaws that make them insecure, so they should not be used to transmit sensitive data. The Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols provide a protection mechanism to ensure the authenticity, confidentiality and integrity of data transmitted between a client and web server. Both TLS and SSL have undergone revisions resulting in periodic version updates. Each new revision was designed to address the security weaknesses discovered in the previous versions. Use of an insecure version of TLS/SSL will weaken the strength of the data protection and could allow an attacker to compromise, steal, or modify sensitive information.

Weak versions of TLS/SSL may exhibit one or more of the following properties:

  • No protection against man-in-the-middle attacks
  • Same key used for authentication and encryption
  • Weak message authentication control
  • No protection against TCP connection closing

The presence of these properties may allow an attacker to intercept, modify, or tamper with sensitive data.

To set the parameters of SSL connection, constants that denote the cipher suite are used. Many cipher suits are insecure, obsolete or artificially weakened due to export restrictions. Examples of several cipher suites recommended by IANA in the TLS parameters documentation:

  • TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256
  • TLS_DHE_PSK_WITH_AES_256_CCM
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
  • TLS_DHE_PSK_WITH_AES_128_GCM_SHA256

References

  1. Vulnerability Summary for CVE-2014-3566
  2. Package tls
  3. ssl
  4. OWASP Top 10 2017-A3-Sensitive Data Exposure
  5. CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration
  6. Transport Layer Security (TLS) Parameters
MEDIUM

DerScanner Severity Score

Do you want to fix Go : Unsafe SSL configuration in your application?

See also

Go

Go : Undocumented feature: special account

Go

Go : Nil salt

Go

Go : Logging into system output