Customized TrustManager bypasses certificate verification

[GraceXiaoYa]

Vulnerability Description:

We found a security vulnerability in file LittleProxy/src/main/java/org/littleshoot/proxy/extras/SelfSignedSslEngineSource.java. The customized TrustManger (at Line 125) allows all certificates to pass the verification.

Security Impact:

The checkClientTrusted and checkServerTrusted methods are expected to implement the certificate validation logic. Bypassing it could allow man-in-the-middle attacks.

Useful Resources:

https://cwe.mitre.org/data/definitions/295.html

https://developer.android.com/training/articles/security-ssl

Solution we suggest:

Do not customize the TrustManger or specify the certificate validation logic instead of allowing all certificates. See here to securely allow self-signed certificates and other common cases.

Please share with us your opinions/comments if there is any:

Is the bug report helpful?