Swift : Unsafe SSL configuration
Classification
Overview
SSL connection uses insecure settings. The established connection is insecure and can cause a compromise of valuable data.
In some libraries that use SSL connections, the server certificate is not verified by default. This is equivalent to trusting all certificates.
The SSLv2, SSLv23, and SSLv3 protocols contain several flaws that make them insecure, so they should not be used to transmit sensitive data. The Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols provide a protection mechanism to ensure the authenticity, confidentiality and integrity of data transmitted between a client and web server. Both TLS and SSL have undergone revisions resulting in periodic version updates. Each new revision was designed to address the security weaknesses discovered in the previous versions. Use of an insecure version of TLS/SSL will weaken the strength of the data protection and could allow an attacker to compromise, steal, or modify sensitive information.
Weak versions of TLS/SSL may exhibit one or more of the following properties:
- No protection against man-in-the-middle attacks
- Same key used for authentication and encryption
- Weak message authentication control
- No protection against TCP connection closing
The presence of these properties may allow an attacker to intercept, modify, or tamper with sensitive data.
References
- Now that it is 2015, what SSL/TLS cipher suites should be used in a high security HTTPS environment? - security.stackexchange.com
- SSLLooseConfig - playframework.com
- OWASP Top 10 2017-A3-Sensitive Data Exposure
- CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration
- Transport Layer Security (TLS) Parameters