Hacker News new | comments | show | ask | jobs | submit login
Java/Android SSLSocket Vulnerable to MitM Attacks (op-co.de)
12 points by ge0rg 1203 days ago | hide | past | web | 2 comments | favorite



Also can be phrased as: "Rarely used, low-level Socket class intentionally doesn't perform automatic SSL certificate verification, and is documented as such."


Rarely used, low-level Socket class intentionally doesn't perform automatic SSL certificate verification

It is true this class is rarely used, but it does not mean that security is optional for rarely-used APIs. As can be seen from the linked CVE and the list of affected applications, the problem is real and needs more developer attention.

and is documented as such

I beg to differ. The SSLSocket class documentation not only does not mention this fact, it creates the illusion that SSLSocket is secure. The fact that a different document mentions this shortcoming can hardly count as "documentation", especially with the grave implications for apps.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: