Slashdot Mirror

← Back to Stories (view on slashdot.org)

PHP, Python and Google Go Fail To Detect Revoked TLS Certificates (softpedia.com)

Posted by BeauHD on from the problematic-encounters-of-the-SSL/TLS-certificates-kind dept.

An anonymous reader writes: Four years after the release of a groundbreaking study on the state of SSL/TLS certificates in non-browser applications (APIs [to be exact]), some programming languages fail to provide developers with the appropriate tools to validate certificates. Using three simple test scripts connected to a list of known vulnerable HTTPS servers, researchers logged their results to see which programming languages detected any problems. According to the results, all tested programming languages (PHP, Python, Go), in various configurations, failed to detect HTTPS connections that used revoked SSL/TLS certificates. This is a problem for HTTPS-protected APIs since users aren't visually warned, like in browsers, that they're on an insecure connection. "PHP, Python, and Google Go perform no revocation checks by default, neither does the cURL library. If the certificate was compromised and revoked by the owner, you will never know about it," noted Sucuri's Peter Kankowski.

64 comments

  1. Sooo... by ADRA · · Score: 1, Insightful

    I don't use any of these programming languages. Maybe a little more exhaustive list of working / no-working languages and libraries would be a great resource.

    --
    Bye!
    1. Re:Sooo... by DNS-and-BIND · · Score: 2

      "Most languages do OK while these few aren't" isn't a news story. I think you don't understand how clicks on the internet work. Alarmism gets people to click, reporting facts doesn't.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    2. Re:Sooo... by Anonymous Coward · · Score: 1

      Or, more to the point this retarded summary ignores the fact that the article itself is about libraries supporting those languages.
      And of course plenty of other libraries as well, and old versions of browsers, and a ton of other stuff.

      In fact working TLS Certificate revocation (not the theory, the actual use) is a relatively new thing, so it is not that surprising that
      there is plenty of infrastructure out there that either does not support it, or does it wrong. It is also not exactly simple.

      Is it a bad thing to report? of course not.
      Is this a hyped and wrongly focused article? You bet.

      Welcome to the InterWebs.

    3. Re:Sooo... by Anonymous Coward · · Score: 0

      I don't use any of these programming languages.

      Don't you? How about applications written in those languages? Or what about external libraries written in one of those languages (and could you even tell without looking at the source code)?

      It's an interconnected world and, as the recent OpenSSL bug amply demonstrated, just because you didn't write the doesn't mean your application is secure.

      -JS

    4. Re:Sooo... by Anonymous Coward · · Score: 0

      To back that up: http://news.netcraft.com/archives/2013/05/13/how-certificate-revocation-doesnt-work-in-practice.html

  2. the tools should make this easier by WatchMaster · · Score: 4, Insightful

    in java at least, it is quite a project to properly validate a chain of certificates to a root with full support for the several types of certificates. These libraries should provide a simple binary function that can validate a certificate, including revocation. That is - this is an area where experts in this subject should provide standard libraries. Much like one should be wary of writing your own encryption, one should be wary of writing certificate validation code without the required expertise.

    1. Re:the tools should make this easier by Anonymous Coward · · Score: 3, Informative

      The only problem with that is many of the CRL servers respond very slowly or not at all. For our customers, especially the ones using a GoDaddy cert, we had to disable CRL and OCSP checks in Java to make connecting to them reliable. For our PHP services, not checking those slow and unreliable lists made our services much faster and more reliable. Until companies like GoDaddy get their act together, I'm glad PHP doesn't check.

    2. Re: the tools should make this easier by Anonymous Coward · · Score: 0

      Java 7 update 25 added that. Because we used Go Daddy certs, we couldn't even connect between our own services. Disabling the check fixed the problem, and made things much faster.

    3. Re: the tools should make this easier by Anonymous Coward · · Score: 0

      GoDaddy also broke all of our cisco VPNs because GoDaddy didn't respond before the timeout.

    4. Re: the tools should make this easier by Anonymous Coward · · Score: 0

      Their revocation servers are extremely slow and suffer from a lot of outages.

    5. Re:the tools should make this easier by Anonymous Coward · · Score: 0

      The problem is OpenSSL. OpenSSL, by default, does not check the CRL specified by the cert, nor does it check OCSP. Even if you turn on CRL checking, it checks the peer cert only, not the entire chain. You have to specify TWO options to have it check the whole chain.

    6. Re:the tools should make this easier by Jesus_666 · · Score: 1
      Not binary. I'm thinking of an asynchronous (because CRL servers can be slow) function that returns a status like "valid", "invalid", "self-signed", "expired", "revoked", "known-bad CA" or "request timed out". That way you can check for validity (result == CertificateCheckResult.Valid) but still react appropriately to specific issues, even if it's just to display the appropriate error message. Something like this (in pseudo-C#):

      Certificate foo; // magically appears from somewhere
      var result = await foo.CheckValidity(2000); // timeout in ms

      switch (result)
      {
      case CertificateCheckResult.Valid:
      return "It's valid! Hooray!";
      case CertificateCheckResult.Expired:
      return "2old4me";
      default:
      return "I can't be arsed to write code for all the cases. Something is wrong."
      }

      --
      USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
    7. Re: the tools should make this easier by Anonymous Coward · · Score: 0

      Why would it require a call to a remote server to see if a cert is expired? The expiration date is baked into the cert itself. As for checking revocation, that would require a call out to a remote server (since certs can be revoked at any time) - but I'd hope the client caches the result so it isn't hitting the revocation server 1:1 with every call the client makes.

    8. Re: the tools should make this easier by Jesus_666 · · Score: 1

      Good point, although this can happen transparently in the background. The method should still be called asynchronously because you have no idea whether a call will be made and how long it's going to take.

      --
      USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
    9. Re: the tools should make this easier by ista · · Score: 1

      Exactly that's the point: the certificate has an expiry date set, but what if the certificate's private key has been compromised or the certificate should not have been issued at all? Revocation services exist to invalidate a not yet expired certificate. Basically the browser/client locally validates certificate chain, expiry date and so on. If everything looks fine, the client does query an online service (ocsp) of the issuing CA if the current specific certificate has been revoked; this result may be cached for hours or even days. Another older technique are Certificate Revocation Lists (CRL), who are simply cacheable blacklists to be downloaded once in a while(crls typically may be cached for a week, but they do tend to grow to unusable large sizes - hence most browsers prefer to go for OCSP only).

  3. I feel like an idiot by Anonymous Coward · · Score: 0

    Am I the only one who feels stupid reading this? I have used python extensively for this in the past and never once considered that it wouldn't throw some kind of exception if that were to occur.

    CAPTCHA: goofed

  4. Libraries by 110010001000 · · Score: 1, Troll

    This is a function of libraries, not languages. People are getting dumber in this industry.

    1. Re:Libraries by Fnord666 · · Score: 2

      This is a function of libraries, not languages. People are getting dumber in this industry.

      The article makes this clear and lists the libraries from these languages that were used in the testing. The IQ drop seems to be on the slashdot end.

      --
      'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
    2. Re:Libraries by Anonymous Coward · · Score: 0

      A language's standard built-in library is effectively part of the language.

    3. Re:Libraries by Tablizer · · Score: 1

      Maybe we need a new term for it all. "Language kit"?

      --
      Table-ized A.I.
    4. Re: Libraries by Anonymous Coward · · Score: 0

      My favorite function is easter_days()..........

    5. Re:Libraries by 110010001000 · · Score: 2

      The point is use a different library then if you need the functionality. It has nothing to do with "Python" or "PHP" or "Go". And if there isn't a library that does it for your language, then write your own librarary. Don't expect everyone to implement everything under the sun.

    6. Re: Libraries by Anonymous Coward · · Score: 0

      I made the same comment just prior to you, it was modded into oblivion. Slashdot has fallen so far, I remember when it was worth my while logging in to converse with other intellectuals.
      I finally have that damn kids on the lawn moment, these damn 80s and 90s children are lost.

    7. Re:Libraries by Anonymous Coward · · Score: 0

      Mod parent +1, painfully obvious, but true.

  5. And the problem is??? by guruevi · · Score: 5, Insightful

    TLS/SSL certificate revocation has historically never been and still isn't very robust. It's been around for decades, I remember trying to work with Verisign (I think they're still around although their certificates were awfully expensive) in the early 2000's when CRL's were introduced and more down than up and they didn't think it was very important, I simply ignored it then since most CRL servers either didn't exist, didn't work or were overloaded.

    In API's the certificates that may be accepted are typically well defined where any random certificate on the other side just won't work, valid or not. I know PHP, Python and Perl allow/require you to define a certificate store where trusted certs live and it is relatively well documented not to use the systems' store unless you trust all the root certificates in it.

    In addition, you can't just change a commonly used API like cURL and suddenly require things that were previously not required for no good reason. It's the same reason SSL libraries support(ed) old versions of SSL that were dead decades ago (RC4, SSLv2/v3) until an actual protocol flaw comes up.

    TLDR: It's not a problem for anyone knowledgeable of the situation, API's don't just connect to random sites on the Internet and trust their data (or shouldn't) and those that do should be using the built-in features to check OCSP/CRL's.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
    1. Re:And the problem is??? by Sneftel · · Score: 1

      I agree with most of that, but

      In addition, you can't just change a commonly used API like cURL and suddenly require things that were previously not required for no good reason. It's the same reason SSL libraries support(ed) old versions of SSL that were dead decades ago (RC4, SSLv2/v3) until an actual protocol flaw comes up.

      if an application is currently connecting to a host with a revoked certificate... maybe it should break?

      --
      The opinions stated herein do not necessarily represent those of anybody at all. Deal with it.
    2. Re:And the problem is??? by guruevi · · Score: 1

      The developers should indeed make the program check the certificate IF they deem it necessary. OCSP/CRL's are only useful when SSL is used to authenticate a host, not just to encrypt. SSL IMHO should not be used for authentication in the first place, that's not what the protocol was designed for, we have Kerberos and other encrypted methods of authentication over unsafe channels.

      To make outgoing calls just to check OCSP/CRL's which incurs a lot of extra time and resources for every call (although there is some caching possible) when in 99.9% an OCSP/CRL doesn't even exist because usually you're dealing with self-signed and internal certificates, is just ludicrous. You shouldn't expect libraries to do things it previously wasn't doing just because some developers/sysadmins are morons.

      It's the same reason I don't like OpenSSL removing support for libraries between minor versions, because some developers may need it and instead of fixing the attacks by having developers/sysadmins fix their setups (ala ssl_methods = !SSLv2 !SSLv3 !RC4) or end software (Postfix, Dovecot etc) removing the feature, we're just removing support for features forcing rewrites of existing software that didn't have problems with the issue to begin with.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    3. Re:And the problem is??? by MikeBabcock · · Score: 2

      There have been good stories about this, like here: http://news.netcraft.com/archi...

      --
      - Michael T. Babcock (Yes, I blog)
  6. curl | sh by Anonymous Coward · · Score: 1

    Can we stop it already?

  7. Cert revokation is terminally broken. Wontfix. by Anonymous Coward · · Score: 5, Informative

    This is not something that should be held against the programming languages or their standard libraries. Cert revocation has never worked and will never work. All reasonable developers have given up on it. Trying to make it work is an exercise in futility and can only do more harm than good. That's why Let's Encrypt only issues very short lived certificates and plans to reduce the lifetime of certificates even more.

    1. Re:Cert revokation is terminally broken. Wontfix. by Anonymous Coward · · Score: 1

      OCSP Stapling, and specifically Must-Staple, which is now RFC 7633, mean we can have revocation that actually works one day, perhaps soon. Here's how:

      1. When the certificate is issued RFC 7633 is used to assert that this certificate is "Must-Staple" which means it is only valid when accompanied by a stapled OCSP response for the certificate.

      2. The web server (or whatever else is doing TLS) on start-up and then periodically (say, once per hour) goes to fetch an OCSP response about its own certificate. If that stops working, eventually it's a critical error, just like if the disk broke, or the network went down. The OCSP responses come from the company that sold you a certificate. If they're unreliable, you're the customer, you demand your money back. Guess what - suddenly fixing the OCSP is a priority.

      3. Whenever the web server provides its certificate to a client, it staples the last OCSP response it has.

      4. The client spots the Must-Staple certificate, and checks for the OCSP response stapled to it. The OCSP response (just like today, when it's done by the client) has a timestamp and a maximum-age. If it's out of date, this certificate is worthless.

      That's how we can actually do revocation. Not today, but maybe tomorrow and definitely within five years.

  8. wget? by Anonymous Coward · · Score: 1

    what about zoidberg?

    1. Re: wget? by Anonymous Coward · · Score: 0

      Woomp woomp woomp woomp

  9. Test site by Anonymous Coward · · Score: 0

    Security Now podcast covered how browsers don't always notify. Check yours at https://revoked.grc.com

  10. Requests by Riddler+Sensei · · Score: 1

    For Python they used urllib and ssl which, yeah, are in the standard library, but Requests is kind of the de facto HTTP library. Requests does do SSL cert verification, although it doesn't mention revocation specifically.

    1. Re:Requests by Riddler+Sensei · · Score: 2

      Oh, no, wait, I they did try Requests and it mostly passed EXCEPT for revocation. I simply checked the github repo that was posted and only saw the urllib/ssl test.

  11. Apache by Anonymous Coward · · Score: 0

    At least Apache has OCSP support. I wonder how many things can do SCVP, though?

    Oddly enough, the federal government does PKI far better than most private industries, at least those I interact with.

  12. Revocation by Anonymous Coward · · Score: 1

    Isn't cert revocation done by os updates these days? You cannot expect a language to maintain it's own ca store. Though it would be excellent if it did, and validated automatically.

    1. Re: Revocation by Anonymous Coward · · Score: 1

      Java does, and it's a pain in the ass sometimes.

  13. Not a suprise by Anonymous Coward · · Score: 1

    PHP is utter dog shit developed by clueless dumbfucks.

    Python is slightly better than utter dog shit.

    Google is flat out incompetent.

  14. Main reason by KhawarNehal523 · · Score: 1

    I think the main reason is that the software is useless if it cannot connect. So developers are forced to make clients which work first and then give options for "enabling" security. It is left up to the user to decide what level of security they want to use to connect. The servers and clients can easily decide as far as management is concerned if they want to implement strict security or not. So the main reason why some browsers do implement is because people want to be aware. Until major attacks do not occur, and customers do not care, then there is no real reason to implement stricter security. It costs developers time and makes the software unnecessarily complex. Also it runs the risk of not working which in some customer cases is not acceptable. So this issue shall be around for ever as long as people do not need security is applications running on secure and controlled networks. Technically SSL is rumoured to be breakable so only OTP could be considered for serious applications. Regards, Khawar Nehal

  15. Apples and oranges by jgotts · · Score: 0

    Firefox and other browsers robustly support revoked certificates, as they should.

    I can personally speak about PHP. Although this language is hated by people who have to maintain poorly-written code by web designers who shouldn't be programming in the first place, it's actually a great language for experienced programmers who know what they're doing. I see that the only weakness cited for PHP is the lack of support for revoked certificates.

    You would never write a general-purpose web browser in PHP. If you're doing B2B programming, as is typical with PHP, there is a known set of certificates and a known set of end points. You don't have to use programmatic channels to do certificate revocation. E-mail and trouble tickets will suffice to have the certificate replaced sufficiently quickly.

    I haven't personally programmed in Python or Go but I would imagine the situation there is quite similar. You aren't writing a general purpose web browser that is connecting to arbitrary sites on the Internet. Instead you're mainly writing code to connect known end points with each other. Simply having a support mechanism for certificates would be adequate.

    There really is no need to write complex code to handle this situation. As long as you can remove and replace a certificate with your software, then you're good to go. If your credentials are burned into read-only memory, then you have bigger problems than certificate revocation.

    1. Re:Apples and oranges by DarkOx · · Score: 1

      You don't have to use programmatic channels to do certificate revocation. E-mail and trouble tickets will suffice to have the certificate replaced sufficiently quickly.

      And by doing so you have introduced an effective DOS vulnerability ( even if human based ) because you are asking people to make decisions to not trust a certificate based on communication over channels with poor authentication and integrity controls.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    2. Re:Apples and oranges by i.r.id10t · · Score: 1

      IIRC it is either the http wrappers for the various file functions (file_get_contents, etc) or cURL in PHP that needs a special argument for a self-signed certificate, and it throws an error if you don't use the argument. Wouldn't something similar work for a revoked certificate? Assuming the back end code was updated to do the revocation check?

      --
      Don't blame me, I voted for Kodos
    3. Re:Apples and oranges by Anonymous Coward · · Score: 0

      PHP has a list at list 10,000 long about why it is dog shit suitable only for clueless dumbfucks.

      You don't have to use programmatic channels to do certificate revocation. E-mail and trouble tickets will suffice to have the certificate replaced sufficiently quickly.

      That marks you out as said dumbfuck.

  16. Another great reason to use Perl by Anonymous Coward · · Score: 0

    Another great reason to use Perl!

    I just did a quick test of the bad server list from Sucuri, and the standard Perl module for making network connections (LWP) gives the following results:

            "Can't connect to revoked.grc.com:443 (certificate status is revoked)"
            "Can't connect to tv.eurosport.com:443 (hostname verification failed)"
            "Can't connect to qvica1g3-e.quovadisglobal.com:443 (certificate verify failed)"
            "Can't connect to self-signed.badssl.com:443 (certificate verify failed)"
            request succeeds for rc4.badssl.com
            "Can't connect to dh480.badssl.com:443 (alert handshake failure)"

    It's not perfect, because it will still make a connection using RC4, but anybody using Perl is protected from revoked certificates which is by far the worse problem. I have just submitted a bug report about the RC4 problem, so hopefully that will be fixed soon.

    At any rate, for those of you who have heard that "Perl is dead" you have heard wrong. It is alive and kicking, and being actively updated.

    1. Re:Another great reason to use Perl by Anonymous Coward · · Score: 0

      Can you post your code for this? I'm curious if you had to pass any additional options or set any special env vars, and would also like to test it on older / different versions.

  17. "the owner" by rakslice · · Score: 0

    "revoked by the owner" Who's that, I wonder?

  18. State and the Hot Potato by timotten · · Score: 1

    I suspect that most HTTP client implementations bundled with languages aim to be stateless by default. For anything that looks like state, the buck gets passed downstream. There is merit in this -- it gives the downstream developer a lot of flexibility. But then we have the problem: several standard HTTP behaviors that we usually take for granted are unworkable by default (i.e. HTTP cookies, HTTP caching, and CRL/OCSP -- which needs caching to perform reasonably).

    Typically, a developer wants to say something simple (http.get("http://example.com/the/data")) rather than

    cookieStore = new FileCookieStore("/var/lib/my-app-dir-that-someone-has-to-configure/cookies");
    cacheStore = new FileCacheStore("/var/lib/my-app-dir-that-someone-has-to-configure/cache");
    certValidator = new CachingCertificateValidator(cacheStore, {crl => true, ocsp => true});
    httpClient = new HttpClient(cookieStore, cacheStore, certValidator);
    httpClient.get('http://example.com/the/data');

    Who wants to be responsible for administering/documenting/supporting all those fiddly bits of state?

  19. Who Cares ? by Anonymous Coward · · Score: 1

    I connect to a lot of endpoints published by orgs like government departments which use private certificates issued by private root authorities, oddly enough the original principle behind certificates applies; do I trust the issuer ? If I do then I manually accept the CA and the cert into my certificate store in order for my systems to trust the remote endpoint.

    If all you are going to do is blindly accept certificates on the basis that they pass verification checks then you are doing it wrong.

    I laugh when I see how many "trusted" root authorities there are and just how many of them are practically untraceable.

  20. Re:News Flash: by Anonymous Coward · · Score: 1

    agree , it is not the task of a language to check for revoked certificates by default . The programmer need to do that , and if not done you cant fault the language .

  21. Re:News Flash: by TheRaven64 · · Score: 3, Insightful

    If you hit your thumb with a hammer, then it's your fault. If you cut your hand with a hammer designed by someone who thinks that razor blades are an ideal decoration to hammer handles, then it's probably the tool's fault. It's not the fault of the language, but it is the fault of whatever library you are using to handle the SSL connections if the simplest and recommended use of a library designed to establish a secure connection does not, in fact, establish a secure connection (or, at least, provide an easy-to-check error condition if it has failed to do so). If the language bundles this library as part of the standard library, then it's definitely a problem with the language.

    --
    I am TheRaven on Soylent News
  22. I actually block CRL sites in Squid by Anonymous Coward · · Score: 0

    IE seems frantic about sending requests to Microsoft for CRLs. A) No thanks on that telemetry thing, and B) Stop using my bandwidth stupidly. I filter them at the proxy.

  23. Uhh what? by Anonymous Coward · · Score: 0

    It's not a failing in any of these languages. At worst its a missing feature in their standard libraries.

    Also CRLs and the entire Cert system is full of fail and AIDS. Even if your language of choice has fantastic functions/classes, your entire stack grinds to a halt because the CRL server is just too busy/slow/crappy, or doesn't validate properly at all because their data is out of sync.

    Don;t worry though, I'm 100% sure the NSA/CIA/FBI/TLA doesn't have copies of every major CAs master keys so you can totally trust them.

  24. Got you! by Anonymous Coward · · Score: 0

    April fools!

  25. That's called OCSP by Anonymous Coward · · Score: 0

    Online Certificate Status Protocol. Java supports it just fine.

    1. Re:That's called OCSP by Jesus_666 · · Score: 1

      This is not about whether or not support is available, this is about how the API works. The GGP said that existing APIs tend to be too complicated and asked for a simple binary function to check a cert. I pointed out that a function that can return more than just "good" nd "bad" would be more useful. Neither I nor the GGP ever asserted that no API exists at all.

      --
      USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
  26. Re: What? by Anonymous Coward · · Score: 0

    The encryption isn't all that useful if it's between you and a bad guy who is pretending to be the service you wanted to talk to...

    He could even be nice and transparently proxy you through. Maybe just look at your private bits while they go by...

  27. uh, yeah. You just noticed that? by the+stapler · · Score: 1

    CRLs are poorly used and often ignored, largely because there is no simple built in standard for keeping the CRLs updated and having all connections check them. Its bad enough that our team has gone to only issuing certs with very short life spans and just renewing them often. See https://www.openstack.org/summ...