Validating certificates
An encryption scheme contains a chain of events and is no more secure than its weakest link. For HTTPS, the weakest links are certificate validation and the choice of ciphers.
Many developers deceive themselves by using self-signed certificates. These are easy to produce and do not cost anything, but they don't validate either. To avoid problems, certificate validation is disabled in software. Perhaps these developers think that it's enough not to be able to directly view what is being communicated by a sniffer. This is not correct. When you disable certificate validation, you also lose the ability to verify whether a malicious user is pretending to be the expected remote party, using a man-in-the-middle or MITM attack. ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access