Re: NSURLConnection SSL connection with expired cert.
Re: NSURLConnection SSL connection with expired cert.
- Subject: Re: NSURLConnection SSL connection with expired cert.
- From: Jens Alfke <email@hidden>
- Date: Tue, 4 Mar 2008 08:11:13 -0800
On 3 Mar '08, at 10:13 PM, Marcel Borsten wrote:
I don't think this is in any way documented and can break at any
time, but after looking around for a while I found this method:
@interface NSURLRequest (NSHTTPURLRequest)
+ (BOOL)allowsAnyHTTPSCertificateForHost:(id)fp8;
+ (void)setAllowsAnyHTTPSCertificate:(BOOL)fp8 forHost:(id)fp12;
@end
Even ignoring compatibility issues, I think it would be a bad idea to
use that. It completely disables the authentication features of SSL,
removing any assurance that the server you've connected to is the
right one. (That's not just a theoretical security problem. Something
like 25% of public DNS servers have been compromised, according to
recent reports, and can direct users to phishing/malware/ad sites even
if they enter the domain name properly. The only thing protecting you
from that is SSL certificate checking.)
In layman's terms, this is like sawing off the ground prong on the
plug of your new power drill because you don't have a grounded outlet
nearby. :-O
IMHO the user should only be allowed to bypass an invalid cert if s/
he's first had a chance to look at the contents of the cert first, as
Safari does. In the absence of that sort of functionality, this is too
dangerous to use.
—Jens
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden