Description
A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.
When the expiration of a certificate is not taken into account, no trust has necessarily been conveyed through it. Therefore, the validity of the certificate cannot be verified and all benefit of the certificate is lost.
Modes of Introduction:
– Architecture and Design
Likelihood of Exploit: Low
Related Weaknesses
CWE-295
CWE-672
Consequences
Integrity, Other: Other
The data read from the system vouched for by the expired certificate may be flawed due to malicious spoofing.
Authentication, Other: Other
Trust afforded to the system in question – based on the expired certificate – may allow for spoofing attacks.
Potential Mitigations
Phase: Architecture and Design
Description:
Check for expired certificates and provide the user with adequate information about the nature of the problem and how to proceed.
Phase: Implementation
Description:
If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the expiration.
CVE References
