AndroidCaldavSyncAdapater icon indicating copy to clipboard operation
AndroidCaldavSyncAdapater copied to clipboard

Published 20 hours ago verified publisher icon gggard

MITM vulnerability with self-signed certificates

Open ghost opened this issue 10 years ago • 1 comments

Hi there,

HTTPS connections to CalDAV servers are vulnerable to MITM attacks with self-signed certificates. That's a bug.

I'd like to recommend certificate pinning. This paper provides a good starting point: Fahl et al.: Rethinking SSL Development in an Appified World, CCS 2013, http://android-ssl.org/files/p49.pdf

Best wishes Jens

ghost avatar Apr 01 '14 14:04 ghost

Guys, this is serious!

There is no certificate validation at all in v1.8.1 - please fix this immediately!

Regards, B

plokta avatar May 21 '14 17:05 plokta