You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When the server (or an attacker) presents a certificate that is valid for any domain, regardless of whether it valid for the domain part of the JID, ChatSecure will show the certificate as valid. This can lead leads to the user believing that the certificate is valid when it is not for the domain of the JID. This in turn might lead to the user accepting an invalid certificate potentially used by an attacker that is MITMing the connection.
Example:
Enter any JID@lebihan.nsupdate.info and see that message. The certificate is only valid for lebihan.pl domains, but not for this one. Because of the green tick and Valid certificate info, the certificate appears to be valid for that domain.
In my opinion, it is an important security issue.
The text was updated successfully, but these errors were encountered:
mimi89999
changed the title
Missleadinf info about certificate validity
Misleading info about certificate validity
Dec 3, 2018
When the server (or an attacker) presents a certificate that is valid for any domain, regardless of whether it valid for the domain part of the JID, ChatSecure will show the certificate as valid. This can lead leads to the user believing that the certificate is valid when it is not for the domain of the JID. This in turn might lead to the user accepting an invalid certificate potentially used by an attacker that is MITMing the connection.
Example:
Enter any JID@
lebihan.nsupdate.info
and see that message. The certificate is only valid forlebihan.pl
domains, but not for this one. Because of the green tick and Valid certificate info, the certificate appears to be valid for that domain.In my opinion, it is an important security issue.
The text was updated successfully, but these errors were encountered: