[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: iphone email client does not validate ssl certificates

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: iphone email client does not validate ssl certificates
From: Steve Shockley <steve.shockley@xxxxxxxxxxxx>
Date: Mon, 28 Sep 2009 21:27:34 -0400

On 9/26/2009 5:54 AM, Pavel Machek wrote:

Well... mujmail.org email client also does not validate ssl
cerificates -- optionaly. Reasoning is that SSL with unverified
certificate is still better than sending plaintext passwords.

Does that count as a vulnerability?

Yes; it's not that difficult for someone on the same network segment toproxy all your traffic, and if you don't check your certificate then youmight as well have sent it plaintext.

If you don't want to buy a cert, then set up your own mini-CA andinstall the CA root cert on your client.

References:
- iphone email client does not validate ssl certificates
  - From: Bill Borskey
- Re: iphone email client does not validate ssl certificates
  - From: Pavel Machek

Prev by Date: WinRAR v3.80 - ZIP Filename Spoofing
Next by Date: Adobe Photoshop Elements 8.0 Active File Monitor Service Bad Security Descriptor Local Elevation Of Privileges
Previous by thread: Re: iphone email client does not validate ssl certificates
Next by thread: [ MDVSA-2009:231 ] htmldoc
Index(es):
- Date
- Thread