On 3 Mar '08, at 10:13 PM, Marcel Borsten wrote:
I don't think this is in any way documented and can break at any time, but after looking around for a while I found this method:@interface NSURLRequest (NSHTTPURLRequest) + (BOOL)allowsAnyHTTPSCertificateForHost:(id)fp8; + (void)setAllowsAnyHTTPSCertificate:(BOOL)fp8 forHost:(id)fp12; @end
Even ignoring compatibility issues, I think it would be a bad idea to use that. It completely disables the authentication features of SSL, removing any assurance that the server you've connected to is the right one. (That's not just a theoretical security problem. Something like 25% of public DNS servers have been compromised, according to recent reports, and can direct users to phishing/malware/ad sites even if they enter the domain name properly. The only thing protecting you from that is SSL certificate checking.)
In layman's terms, this is like sawing off the ground prong on the plug of your new power drill because you don't have a grounded outlet nearby. :-O
IMHO the user should only be allowed to bypass an invalid cert if s/ he's first had a chance to look at the contents of the cert first, as Safari does. In the absence of that sort of functionality, this is too dangerous to use.
—Jens
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Cocoa-dev mailing list ([email protected]) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to [EMAIL PROTECTED]
