Bugtraq mailing list archives
Re: iphone email client does not validate ssl certificates
From: Steve Shockley <steve.shockley () shockley net>
Date: Mon, 28 Sep 2009 21:27:34 -0400
On 9/26/2009 5:54 AM, Pavel Machek wrote:
Well... mujmail.org email client also does not validate ssl cerificates -- optionaly. Reasoning is that SSL with unverified certificate is still better than sending plaintext passwords. Does that count as a vulnerability?
Yes; it's not that difficult for someone on the same network segment to proxy all your traffic, and if you don't check your certificate then you might as well have sent it plaintext.
If you don't want to buy a cert, then set up your own mini-CA and install the CA root cert on your client.
Current thread:
- iphone email client does not validate ssl certificates Bill Borskey (Sep 11)
- Re: iphone email client does not validate ssl certificates Pavel Machek (Sep 28)
- Re: iphone email client does not validate ssl certificates Steve Shockley (Sep 29)
- Re: iphone email client does not validate ssl certificates Pavel Machek (Sep 28)