plokta
commented
10 years ago Guys, this is serious!
There is no certificate validation at all in v1.8.1 - please fix this immediately!
Regards, B
Open ghost opened 10 years ago
plokta
commented
10 years ago Guys, this is serious!
There is no certificate validation at all in v1.8.1 - please fix this immediately!
Regards, B
Hi there,
HTTPS connections to CalDAV servers are vulnerable to MITM attacks with self-signed certificates. That's a bug.
I'd like to recommend certificate pinning. This paper provides a good starting point: Fahl et al.: Rethinking SSL Development in an Appified World, CCS 2013, http://android-ssl.org/files/p49.pdf
Best wishes Jens