On 9/26/2009 5:54 AM, Pavel Machek wrote:
Well... mujmail.org email client also does not validate ssl cerificates -- optionaly. Reasoning is that SSL with unverified certificate is still better than sending plaintext passwords. Does that count as a vulnerability?
Yes; it's not that difficult for someone on the same network segment to proxy all your traffic, and if you don't check your certificate then you might as well have sent it plaintext.
If you don't want to buy a cert, then set up your own mini-CA and install the CA root cert on your client.
