Hacker News new | past | comments | ask | show | jobs | submit login
Java/Android SSLSocket Vulnerable to MitM Attacks (op-co.de)
12 points by ge0rg on Aug 5, 2014 | hide | past | favorite | 2 comments



Also can be phrased as: "Rarely used, low-level Socket class intentionally doesn't perform automatic SSL certificate verification, and is documented as such."


Rarely used, low-level Socket class intentionally doesn't perform automatic SSL certificate verification

It is true this class is rarely used, but it does not mean that security is optional for rarely-used APIs. As can be seen from the linked CVE and the list of affected applications, the problem is real and needs more developer attention.

and is documented as such

I beg to differ. The SSLSocket class documentation not only does not mention this fact, it creates the illusion that SSLSocket is secure. The fact that a different document mentions this shortcoming can hardly count as "documentation", especially with the grave implications for apps.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: