[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: iphone email client does not validate ssl certificates
On 9/26/2009 5:54 AM, Pavel Machek wrote:
Well... mujmail.org email client also does not validate ssl
cerificates -- optionaly. Reasoning is that SSL with unverified
certificate is still better than sending plaintext passwords.
Does that count as a vulnerability?
Yes; it's not that difficult for someone on the same network segment to
proxy all your traffic, and if you don't check your certificate then you
might as well have sent it plaintext.
If you don't want to buy a cert, then set up your own mini-CA and
install the CA root cert on your client.