

Java/Android SSLSocket Vulnerable to MitM Attacks - ge0rg
http://op-co.de/blog/posts/java_sslsocket_mitm/

======
dozy
Also can be phrased as: "Rarely used, low-level Socket class intentionally
doesn't perform automatic SSL certificate verification, and is documented as
such."

~~~
ge0rg
_Rarely used, low-level Socket class intentionally doesn 't perform automatic
SSL certificate verification_

It is true this class is rarely used, but it does not mean that security is
optional for rarely-used APIs. As can be seen from the linked CVE and the list
of affected applications, the problem is real and needs more developer
attention.

 _and is documented as such_

I beg to differ. The SSLSocket class documentation not only does not mention
this fact, it creates the illusion that SSLSocket is secure. The fact that a
different document mentions this shortcoming can hardly count as
"documentation", especially with the grave implications for apps.

