Java: Use machine-in-the-middle consistently

2026-05-01 11:45:14 +02:00 · 2021-01-27 21:49:34 +01:00
parent f52e438f3e
commit 030c286902
1 changed files with 2 additions and 2 deletions
--- a/java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.qhelp
+++ b/java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.qhelp
@@ -5,7 +5,7 @@
 <overview>
 <p>
 If the <code>checkServerTrusted</code> method of a <code>TrustManager</code> never throws a <code>CertificateException</code> it trusts every certificate.
-This allows an attacker to perform a Man-in-the-middle attack against the application therefore breaking any security Transport Layer Security (TLS) gives.
+This allows an attacker to perform a machine-in-the-middle attack against the application therefore breaking any security Transport Layer Security (TLS) gives.

 An attack would look like this:
 1. The program connects to <code>https://example.com</code>.
@@ -29,7 +29,7 @@ See below for an example of how to do this.
 <example>
 <p>
 In the first (bad) example, the <code>TrustManager</code> never throws a <code>CertificateException</code> thereby trusting any certificate.
-This allows an attacker to perform a man-in-the-middle attack.
+This allows an attacker to perform a machine-in-the-middle attack.
 In the second (good) example, no custom <code>TrustManager</code> is used. Instead, the self-signed certificate that should be trusted
 is explicitly trusted by loading it into a <code>KeyStore</code>.
 </p>