Whoops -- major users of SSL in non-browser software is broken and insecure (including Amazon EC2 and PayPal libraries)

Lovely.

Time to patch those holes.

Why is security so hard?

I think part of the reason for these vulnerabilities is not proper, basic, testing. A simple self-signed certificate would have revealed almost all of these problems -- if testing with one were done.

Now I'm horrified.

Who makes libraries without testing at least the basics?

I haven't seen an xUnit security framework before. Maybe it's a good idea? Most testing is for functionality or integration.

From the paper:

"The primary cause of these vulnerabilities is the developers’ misunderstanding of the numerous options, parameters, and return values of SSL libraries. For example, Amazon’s Flexible Payments Service PHP library attempts to enable hostname verification by setting cURL’s CURLOPT_SSL_VERIFYHOST parameter to true. Unfortunately, the correct, default value of this parameter is 2; setting it to true silently changes it to 1 and disables certificate validation. PayPal Payments Standard PHP library introduced the same bug when updating a previous, broken implementation. Another example is Lynx, a text-based browser which is often used programmatically and thus included in our study. It checks for self-signed certificates—but only if GnuTLS’s certificate validation function returns a negative value. Unfortunately, this function returns 0 for certain errors, including certificates signed by an untrusted authority. Chain-of-trust verification in Lynx is thus broken."

Is this the same vulnerability:

https://aws.amazon.com/security/security-bulletins/reported-soap-request-parsing-vulnerabilities-reso/

No, I think those were on the server side, instead of client-side libs. In fact one of their recommendations was: "Only utilize the SSL-secured / HTTPS endpoint for any AWS service and ensure that your client utilities perform proper peer certificate validation."

That seems like it should be a no-brainer.

That it isn't, is very troubling!

I notice the authors created a test environment for this, but haven't released an open-source tool for it. I think that would be helpful.

I think the real question here is how long has the None Such Agency known about this?