Re: NSURLConnection SSL connection with expired cert.

FROM : Jens Alfke
DATE : Tue Mar 04 17:11:13 2008

On 3 Mar '08, at 10:13 PM, Marcel Borsten wrote:

> I don't think this is in any way documented and  can break at any 
> time, but after looking around for a while I found this method:
>
> @interface NSURLRequest (NSHTTPURLRequest)
> + (BOOL)allowsAnyHTTPSCertificateForHost:(id)fp8;
> + (void)setAllowsAnyHTTPSCertificate:(BOOL)fp8 forHost:(id)fp12;
>
> @end


Even ignoring compatibility issues, I think it would be a bad idea to 
use that. It completely disables the authentication features of SSL, 
removing any assurance that the server you've connected to is the 
right one. (That's not just a theoretical security problem. Something 
like 25% of public DNS servers have been compromised, according to 
recent reports, and can direct users to phishing/malware/ad sites even 
if they enter the domain name properly. The only thing protecting you 
from that is SSL certificate checking.)

In layman's terms, this is like sawing off the ground prong on the 
plug of your new power drill because you don't have a grounded outlet 
nearby. :-O

IMHO the user should only be allowed to bypass an invalid cert if s/
he's first had a chance to look at the contents of the cert first, as 
Safari does. In the absence of that sort of functionality, this is too 
dangerous to use.

—Jens