Ensure TLS verification

Documentos > Datadog Security > Code Security > Static Analysis (SAST) > SAST Rules > Ensure TLS verification

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: go-security/tls-skip-verify

Language: Go

Severity: Info

Category: Security

CWE: 295

Description

The Transport Layer Security (TLS) protocol serves to secure communications between a client and server in a network, so it’s integral to maintaining the integrity and confidentiality of data transmission.

In the Go programming language, a common pitfall is that developers sometimes set the parameter InsecureSkipVerify of tls.Config to true to simplify coding or avoid certificate validation errors during testing. However, this parameter must never be set to true in a production environment.

When InsecureSkipVerify is set to true, the TLS verification process is bypassed entirely. Essentially, this action is skipping the very phase that confirms the server identity, leading to possibilities of “Man-in-the-Middle” (MitM) attacks. MitM attacks occur when a malicious actor intercepts and potentially alters the communication between two parties without their knowledge.

By validating the server’s certificate, the client verifies the server’s identity and ensures that it’s safe to transmit data. If InsecureSkipVerify is set to true, even a server with an invalid or compromised certificate may appear trustworthy, posing significant security risks.

Therefore, always ensure that the InsecureSkipVerify parameter is set to ‘false’ to avoid these possible security breaches. Instead of turning this parameter to ’true’ to fix certificate issues, find and resolve the reason the certificate is considered invalid. This could involve renewing expired certificates, trusting a self-signed certificate, or fixing hostname mismatches. This way, you can uphold the authenticity and privacy of your application’s client-server interactions.

Learn More

CWE-295: Improper Certificate Validation

Non-Compliant Code Examples

package main

import (
	"crypto/tls"
	"fmt"
	"net/http"
)

func main() {
	tr := &http.Transport{
		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
	}
}

Compliant Code Examples

package main

import (
	"crypto/tls"
	"fmt"
	"net/http"
)

func main() {
	tr := &http.Transport{
		TLSClientConfig: &tls.Config{InsecureSkipVerify: false},
	}

}