Code Smell 261 – DigiCert Underscores

by


This is your reminder: Don’t forget to check strings with special characters like underscores

TL;DR: Underscore and special characters can lead to validation errors

Problems

Incomplete Validation
Security Risks
Missed Tests
Incorrect Setup
System Inconsistency
Breaking changes with legacy data

Solutions

Use consistent prefix
Implement strict validation
Check system outputs
Create migration tests
Test with legacy data

Context

In digital certificate validation, ensuring domain control is critical. An incomplete validation and potential security issues.

DigiCert recently encountered such a problem, where they missed adding an underscore prefix. This resulted in certificates being issued without proper validation and a cascade of broken sites with few advancement notices.

Sample Code

Wrong

// Incorrect random value without underscore
let random_value = format!(“{}”, generate_random_value());
setup_dns_record(
&format!(“_{}.example.com”, random_value),
“dcv.digicert.com”);

Right

// Correct random value with underscore
let random_value = format!(“_{}”, generate_random_value());
setup_dns_record(&random_value, “dcv.digicert.com”);

Detection

[x] Manual

You can detect this smell by reviewing the validation process and checking if all required prefixes are consistently applied.

You should also store historical data and check the new rules applied to them.

Tag(s)

Security

Level

[x] Advanced

AI Generation

AI-generated code might miss adding specific prefixes unless explicitly instructed.

This can lead to security risks if the generated code is not thoroughly reviewed.

AI Detection

With proper examples and instructions, AI tools can be trained to detect missing prefixes in generated or existing code.

Conclusion

Skipping an essential part of the validation process, like an underscore prefix, can lead to significant issues.

Ensuring such steps are consistently applied and reviewed is crucial for maintaining system integrity and security.

Relations

https://hackernoon.com/how-to-find-the-stinky-parts-of-your-code-part-xxxviii?embedable=true

More Info

https://www.digicert.com/support/certificate-revocation-incident?embedable=true

https://thehackernews.com/2024/07/digicert-to-revoke-83000-ssl.html?embedable=true

https://www.bleepingcomputer.com/news/security/digicert-mass-revoking-tls-certificates-due-to-domain-validation-bug/?embedable=true

:::warning
Disclaimer: Code Smells are my opinion.

:::

:::info
Credits: Photo by Markus Spiske on Unsplash

:::

Security is a process, not a product

Bruce Schneier

https://hackernoon.com/400-thought-provoking-software-engineering-quotes?embedable=true

:::tip
This article is part of the CodeSmell Series on HackerNoon: How to Find the Stinky Parts of Your Code

:::

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.