| New User, Welcome! Login |
Re: iphone email client does not validate ssl certificates
| From: |
Steve Shockley <steve shockley shockley net> |
| To: |
bugtraq securityfocus com |
| Cc: |
|
| Subject: |
Re: iphone email client does not validate ssl certificates |
| Date: |
Mon - Sep 28, 2009 06:34 PM |
On 9/26/2009 5:54 AM, Pavel Machek wrote:
> Well... mujmail.org email client also does not validate ssl
> cerificates -- optionaly. Reasoning is that SSL with unverified
> certificate is still better than sending plaintext passwords.
>
> Does that count as a vulnerability?
Yes; it's not that difficult for someone on the same network segment to
proxy all your traffic, and if you don't check your certificate then you
might as well have sent it plaintext.
If you don't want to buy a cert, then set up your own mini-CA and
install the CA root cert on your client.
|
|
|
Copyright © 1995-2012 LinuxRocket.net. All rights reserved.
Nearly all of LinuxRocket's features are free. Be kind and donate to the cause!
