Skip to content

CERTIFICATE_VERIFY_PROC_JS_CHECK

Anthony Trummer edited this page Jan 6, 2022 · 2 revisions

CERTIFICATE_VERIFY_PROC_JS_CHECK - Insecure TLS Validation

When using HTTPS as the transport, security is provided by Transport Layer Security (TLS). TLS, and its predecessor SSL, are widely used on the Internet to authenticate a service to a client, and then to provide confidentiality to the channel. This check looks for common development errors which results in insecure apps due to mistakenly opting out of X.509 certificate validation, or importing untrusted certificates.


Risk

Opting out of TLS's X.509 certificate validation makes it possible to eavesdrop on and tamper with the network communication between the user and the application. If nodeIntegration is also enabled, an attacker can inject malicious JavaScript and compromise the user’s host.

Auditing

Verify that the application does not explicitly opt out of TLS validation.

Look for occurrences of setCertificateVerifyProc:

win.webContents.session.setCertificateVerifyProc((request, callback) => {
    const { hostname } = request;
    if (hostname === 'doyensec.com') {
        callback(0) //success and disables certificate verification
    }
    else {
        callback(-3) //use the verification result from chromium
    }
})

Or importCertificate:

import { app } from "electron";

let options, callback;
app.importCertificate(options, callback);

References

Clone this wiki locally