If you use SSL, cURL up and VERIFYPEERS

Reader level: Techy/Sysadmin

My friend KevinSMcArthur announced over a year ago at an Ideas Meeting that he had found an interesting information security flaw which he described as fairly large and at the class level. I enquired further and pressed for more details, but he insisted on following a ‘responsible disclosure’ process (which you can read about on his blog). This included contacting the CBA (Canadian Bankers Association) the Privacy Commissioner of Canada and the Canadian Cyber Incident Response Centre (a division of Public Safety Canada).

Six months later, his finding was released as an information note called “Implementing PHP cURL Verifypeer Option in Applications Requiring SSL Certificate Verification“. Most official publications such as this are either so vague you don’t even understand the issue, or they’re so technical the media who would write on such dangers are left scratching their heads. This one seems to fit the latter, as I’ve seen no mainstream attention to this issue that affects the security on the internet as we know it today.

The technical details:

If you’re using a popular dynamic programming language called php to code the SSL (secure connections to your website), there’s an option called VERIFYPEER. If developers set the option CURLOPT_SSL_VERIFYPEER option to “0” or “false” that removes the entire trust validation process that SSL offers, essentially the security of the internet as we know it. If it is set to false, true, 0 or 1 rather than the integer value 2, it will also trigger peerjacking.

The impact:

It turns out, some major organizations had this enabled. This means we don’t know if the bad guys were using this then, or have started now. While this option isn’t a standard vulnerability, it’s more a case of a lazy developer trying to turn off more errors, and hence, more work for themselves.

So who is affected? A lot of the organizations you rely on, organizations that afford more lawyers than I can. A google search should reveal many (or github search) to anyone willing to do a little investigating. We’re talking credit card companies, online payment companies, and some organizations that use oauth to name a few.

Even though it’s more than six months after it has been announced, there are still organizations that are vulnerable, so check yours today.