UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The mobile operating system must give the user the option to deny acceptance of a certificate if the mobile operating system determines that the certificate is invalid.


Overview

Finding ID Version Rule ID IA Controls Severity
V-32991 SRG-OS-000066-MOS-000039 SV-43389r1_rule Medium
Description
If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it more likely that an adversary can launch an attack from an untrusted system. If the mobile operating system accepts the use of invalid certificates, the potential exists the system presenting the certificate is malicious, and can compromise sensitive information or system integrity. Allowing the operating system or user to deny invalid certificates mitigates the risk associated with the acceptance of such certificates.
STIG Date
Mobile Operating System Security Requirements Guide 2012-10-01

Details

Check Text ( C-41288r1_chk )
Inspect the mobile operating system configuration for providing the user the option to deny acceptance of a certificate if the mobile operating system determines that the certificate is invalid. If the operating system does not give the user the option to reject the certificate when it is invalid, this is a finding.
Fix Text (F-36903r1_fix)
Configure the mobile operating system to give the user the option to deny acceptance of a certificate if the mobile operating system determines that the certificate is invalid.