A couple of weeks ago, I had written about how caching sensitive data could lead to the downfall of your business. Over the last few days, in conversation with our security researchers at Appknox, I learnt that just as dangerous as caching of sensitive data is, are also the impacts of improper certificate validation.
Certificate Validation is an advanced feature for businesses that need to verify or authenticate the interaction between the client or application with the data stored on a server to prevent malpractices or spoofed activities.
At this stage, you probably think this is going down the technical path; however I’m going to attempt to break it down and show you how improper certificate validations could affect your business as a whole.
So what exactly happens when a certificate is invalid or malicious?
The answer is as simple as ‘what would happen if you left the lock to your house door opened’. In this case:
1. Invalid certificates might allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack.
2. The software might connect to a malicious host while believing it is a trusted host.
3. The software might be deceived into accepting spoofed data that appears to originate from a trusted host.
In simple words, the certificate acts as that lock between the thief and your house door which in this case is the hacker and the server in which your critical data is stored.
What could happen if an attacker can bypass the certificate validation?
Attackers use multiple bypasses to get access to critical data. Some of the ways are through creating a self-signed certificate with a weak authentication or creation of a proxy which allows visibility of HTTPS or SSL traffic and other such techniques. How does this impact businesses and consumers?
To Businesses: Most of us know what could happen when there is a data breach detected within businesses. Here’s another reminder!
a. Loss in brand value
b. Loss in revenue
c. Huge fines imposed by cyber authorities
d. Loss of customers
To Consumers: You and I both are consumers and most of us entrust businesses with our personal data. The analogy here could be something like, if you told a secret to a friend, and he/she let it out (even if it was by mistake), would you ever tell him/her a secret ever again? In this case, your secrets to businesses could be anything ranging from usernames & passwords, credit card & account details, critical or private data and a whole lot more.
A few things businesses could do to ensure you have the ‘Right Certificate’…
1. Always acquire a certificate from a Root Certificate Authority (RCA).
2. Choose a ‘trusted RCA’ according to the customer base of your businesses in regards to the browser, operating system and platform they use.
3. On purchase of an RCA, you are given a public and a private key. Never share the private key with even your closest friends, because the private key holds access to all encrypted data.
Certificates issued by a trusted certificate authority usually have five primary authentication points which are further subdivided into multiple checks which are then authenticated by the browser in the case of a web application and the operating system or the app itself, in the case of a mobile application.
Our researchers at Appknox have detected multiple certificate issues in e-commerce and payment mobile apps that could have potentially cost these businesses a fortune. However, our constant efforts of educating businesses towards being proactive about security assisted in a more positive outcome.
If this is something you or your business is also concerned about, our security researchers would love to have a conversation with you.