SSL is a wonderful protocol, but it is frequently used badly. This note is intended to point out some of the more common errors made by applications using SSL. This checklist should be useful for application developers, system administrators, and the occasional penetration tester.
This note assumes you have at least a casual knowledge of SSL, but is not a paper about cryptography. If you know enough to write an SSL library, you will know every single one of the mistakes I mention below, plus a few more. Still, I hope that those of you who are writing SSL toolkits will consider why these mistakes are made. Perhaps it will help you design your toolkits so that novices use them correctly.
Most SSL servers do not have this problem, since it only affects those applications that need to verify certificates. If you are dealing with an SSL client application, or your SSL server expects clients to authenticate using certificates, you need to consider which certificate authorities you trust to sign certificates.Read Full Story