Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Misleading description in A02:2021, should be moved to A07:2021 #724

Open
kwwall opened this issue Jul 8, 2022 · 0 comments
Open

Misleading description in A02:2021, should be moved to A07:2021 #724

kwwall opened this issue Jul 8, 2022 · 0 comments
Labels
Discussion

Comments

@kwwall
Copy link

kwwall commented Jul 8, 2022

In A02:2021 - Cryptographic Failures, under the Description section, it states:

  • Is the received server certificate and the trust chain properly validated?

I believe that this statement is in the wrong OT10 item should be (re)moved.

If you look at the corresponding CWE, this is primarily a case of CWE-296: Improper Following of a Certificate's Chain of Trust. It has little, if anything, to do with a cryptographic failure, but rather it is an authentication failure as CWE-296 makes obvious if you follow the CWE chain to its parent CWE-295.

I believe (and I think MITRE would agree) that this bullet item that I referenced is an authentication failure. specifically, it is a failure of properly authenticating the host you are intending to connect to over a TLS connection. Indeed, I believe a better fit for this statement would be to move it A07:2021.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Discussion
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kwwall @sslHello