SSL Validation Checking vs. Going to Fail

Explore the critical importance of SSL certificate validation in cybersecurity through this 26-minute Black Hat conference talk by Thomas Brandstetter. Delve into the aftermath of the "go to fail" bug that exposed vulnerabilities in Apple's SSL implementation. Learn about the development of SVF (SSL-Validation-Fuzzer), a Python-based tool designed to test certificate validation checks without access to source code. Discover how SVF works by intercepting SSL handshakes, generating mutated certificates, and testing client-side validation logic. Examine the results of a field study conducted on iOS, Android, and Windows Mobile banking apps, revealing surprising vulnerabilities in certificate checks. Gain insights into the potential applications of SVF-type checks for app developers and security professionals in identifying susceptibility to man-in-the-middle attacks.