diff --git a/java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.qhelp b/java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.qhelp index 2aec2e16b7a..5f7b4ec39ac 100644 --- a/java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.qhelp +++ b/java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.qhelp @@ -6,14 +6,20 @@

If the checkServerTrusted method of a TrustManager never throws a CertificateException it trusts every certificate. This allows an attacker to perform a machine-in-the-middle attack against the application therefore breaking any security Transport Layer Security (TLS) gives. +

-An attack would look like this: -1. The program connects to https://example.com. -2. The attacker intercepts this connection and presents a valid, self-signed certificate for https://example.com. -3. Java calls the checkServerTrusted method to check whether it should trust the certificate. -4. The checkServerTrusted method of your TrustManager does not throw a CertificateException. -5. Java proceeds with the connection since your TrustManager implicitly trusted it by not throwing an exception. -6. The attacker can now read the data your program sends to https://example.com and/or alter its replies while the program thinks the connection is secure. +

+An attack might look like this: +

+ +
    +
  1. The vulnerable program connects to https://example.com. +
  2. The attacker intercepts this connection and presents a valid, self-signed certificate for https://example.com. +
  3. The vulnerable program calls the checkServerTrusted method to check whether it should trust the certificate. +
  4. The checkServerTrusted method of your TrustManager does not throw a CertificateException. +
  5. The vulnerable program accepts the certificate and proceeds with the connection since your TrustManager implicitly trusted it by not throwing an exception. +
  6. The attacker can now read the data your program sends to https://example.com and/or alter its replies while the program thinks the connection is secure. +