API interfaces remain insecure after all these years

Mar 31, 2016 22:15 GMT  ·  By

A simple experiment carried out by Web security vendor Sucuri highlights that, four years after the release of a groundbreaking study on the state of SSL/TLS certificates in non-browser applications, some programming languages fail to provide developers with the appropriate tools to validate certificates.

Back in 2012, a team of scientists led by Martin Georgiev from the University of Texas revealed that various API clients written in PHP, Python or Java failed to verify certificates correctly, mostly because the underlying languages did not include the proper tools to do so.

The research paper, called "The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software," is relevant even today and showcases that simple MitM attacks can be launched on API infrastructure and be successful in intercepting HTTPS traffic.

Since this traffic is never sent to the browser directly, but only its data is, the user of an app or Web service never knows that sensitive information is exposed to attacks.

PHP and Python implemented fixes

After the paper was released, some issues regarding SSL/TLS verifications were fixed in some programming languages, and more precisely, in PHP with version 5.6, and in Python with versions 3.4.3 and 2.7.9.

Revisiting this research four years later, Sucuri's security experts created a series of test scripts, in PHP, Python, and Go, which connected to a list of known vulnerable HTTPS servers and logged their results to see which ones detected any problems.

The results, pictured below, show that even newer versions of these programming languages have problems in correctly determining the state of an SSL/TLS certificate and shutting down connections if deemed unsafe.

Programming interfaces have a hard time detecting revoked certificates

All the tested configurations, even in the newer Go programming language, failed to detect revoked certificates, which open the door for all kinds of problems.

"PHP, Python, and Google Go perform no revocation checks by default, neither does the cURL library. If the certificate was compromised and revoked by the owner, you will never know about it," noted Sucuri's Peter Kankowski.

"Writing your own revocation check code is hardly realistic," Kankowski also explained. "You would need a skilled cryptographer for this task."

The simplest fix for this matter is to upgrade to the latest version of those programming languages and always keep it that way. Additionally, server owners should consistently use services like BadSSL.com to test any APIs they're interacting with, in order to prevent sending data via unsecured communication channels.

Sucuri test results
Sucuri test results

Photo Gallery (2 Images)

PHP, Go, Python fail to detect revoked certificates
Sucuri test results
Open gallery