[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: iphone email client does not validate ssl certificates

On 9/26/2009 5:54 AM, Pavel Machek wrote:
Well... mujmail.org email client also does not validate ssl
cerificates -- optionaly. Reasoning is that SSL with unverified
certificate is still better than sending plaintext passwords.

Does that count as a vulnerability?

Yes; it's not that difficult for someone on the same network segment to proxy all your traffic, and if you don't check your certificate then you might as well have sent it plaintext.

If you don't want to buy a cert, then set up your own mini-CA and install the CA root cert on your client.