By Mahoney266
via cs.utexas.edu
Published: Oct 26 2012 / 08:14
This paper alleges that many HTTPS clients, including Apache HttpClient 3.x and everything built on it (Axis 1 & 2, Apache CXF) either do not check the trust chain of a TSL certificate appropriately or do not validate that the certificate is for the domain they are trying to contact, in both cases opening themselves up to simple man-in-the-middle attacks. Whilst I have not validated its allegations I think they deserve to be taken seriously & particularly the advice that any application that is a client of a cloud based TLS secured service should actively test whether it allows connections to untrusted or wrong domain certificates.
-
The Gospel of MBaaS- According to Anypresence Co-Founder (Part 2 of 2)
-
Google Unleashes Their Public IaaS Cloud, Adds NoSQL Database
-
Interview with IBM's Alasdair Nottingham on the WebSphere Liberty Profile
-
Sauce Labs Appium Now Can Test Android and Firefox OS Apps
-
Reminder: Today is the Last Day for the Gradle Summit Discount
-
Ext4Yii 1.5 is released
Add your comment
