Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Misleading info about certificate validity #1071

Closed
mimi89999 opened this issue Dec 3, 2018 · 0 comments
Closed

Misleading info about certificate validity #1071

mimi89999 opened this issue Dec 3, 2018 · 0 comments

Comments

@mimi89999
Copy link
Contributor

When the server (or an attacker) presents a certificate that is valid for any domain, regardless of whether it valid for the domain part of the JID, ChatSecure will show the certificate as valid. This can lead leads to the user believing that the certificate is valid when it is not for the domain of the JID. This in turn might lead to the user accepting an invalid certificate potentially used by an attacker that is MITMing the connection.

Example:
simulator screen shot - iphone se - 2018-12-03 at 17 21 21

Enter any JID@lebihan.nsupdate.info and see that message. The certificate is only valid for lebihan.pl domains, but not for this one. Because of the green tick and Valid certificate info, the certificate appears to be valid for that domain.

In my opinion, it is an important security issue.

@mimi89999 mimi89999 changed the title Missleadinf info about certificate validity Misleading info about certificate validity Dec 3, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant