[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: iphone email client does not validate ssl certificates

To: Bill Borskey <wborskey@xxxxxxxxx>
Subject: Re: iphone email client does not validate ssl certificates
From: Pavel Machek <pavel@xxxxxx>
Date: Sat, 26 Sep 2009 11:54:08 +0200

Hi!

> iPod/iPhone standard e-mail application does not validate SSL certificates
> and is vulnerable to a MITM (man in the middle attack).
> 
> Vulnerable: All versions.

Well... mujmail.org email client also does not validate ssl
cerificates -- optionaly. Reasoning is that SSL with unverified
certificate is still better than sending plaintext passwords.

Does that count as a vulnerability?
                                                                Pavel

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) 
http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

Follow-Ups:
- Re: iphone email client does not validate ssl certificates
  - From: Steve Shockley

References:
- iphone email client does not validate ssl certificates
  - From: Bill Borskey

Prev by Date: [ MDVSA-2009:248 ] php
Next by Date: [MajorSecurity Advisory #59]PHP <=5.3 - mysqli_real_escape_string() full path disclosure
Previous by thread: iphone email client does not validate ssl certificates
Next by thread: Re: iphone email client does not validate ssl certificates
Index(es):
- Date
- Thread