Security Concern: Are our APIs safe in Apigee Edge?

anshul_
Participant IV

Hello Apigeeks,

In early 2017 we reported an issue to Apigee regarding an SSL vulnerability.

The issue is when a proxy communicates with the target over HTTPS, Edge doesn't validate the target's certificate despite the SSLInfo property is enabled and the IgnoreValidationErrors property set to false.

This allows a proxy to make a connection with the target even when the target is configured with:

1. expired certificate (previously trusted CA signed)

2. self-signed certificate

3. Invalid CNAME on certificate

The only way to avoid this issue is storing the target's certificate in the truststore even when the certificates are valid CA signed. Though as per Apigee's documentation "In one-way TLS, a truststore is not required if the cert is signed by a valid CA".

Creating a truststore is not a big deal but monitoring all your targets' certificate (trusted CA signed) is an operational and maintenance overhead, specially when you have got multiple targets running on your different customer's domains.

I believe Apigee, understands the basic necessity of secure connections over HTTPS and considers it is as a security issue, but I am surprised that Apigee has not taken any actions in this regard in last 15 months. Apigee could have atleast updated the documentation if they couldn't fix it.

Thanks

P.S. There is a detailed explanation from @Dino on this issue - https://community.apigee.com/questions/36858/edge-doesnt-validate-the-targets-certificate.html

1 4 690
4 REPLIES 4

What's the question?

Hello @Dino,
Thanks for replying. Do you consider it as a security issue? If yes, can Apigee, through this channel, helps us to fix this issue?

I wouldn't say we consider it a security issue in and of itself. Security doesn't exist in a vacuum - it exists within a design and architecture. For instance, using HTTP without HTTPS is not always a security issue, depending on what the data is and how it's used.

Hi @Paul Williams,

Nowadays, I don't think while designing APIs anyone would consider implementation of HTTPs optional, though "how to implement HTTPS" can fall under "design and architecture". So, if we are discussing HTTPs over HTTP then it is a completely different discussion.

Many of the companies in financial, health, insurance and telecom sector, which consider data security as their utmost priority, are using Apigee Edge.

Although I completely understand that possibility of security breach in this scenario is very low, yet we can't take any risks with our customer and want this issue fixed as soon as possible.