FTC Settles With Sites Over SSL Lies 78
An anonymous reader writes "The makers of two major mobile apps, Fandango and Credit Karma, have settled with the Federal Trade Commission after the commission charged that they deliberately misrepresented the security of their apps and failed to validate SSL certificates. The apps promised users that their data was being sent over secure SSL connections, but the apps had disabled the validation process. The settlements with the FTC don't include any monetary penalties, but both companies have been ordered to submit to independent security audits every other year for the next 20 years and to put together comprehensive security programs."
Tip from a programmer (Score:4, Interesting)
This should be a lesson: If somebody is having trouble connecting with you, or you're under some kind of deadline pressure and you can't connect to them, don't turn off SSL validation. Get your connection working properly before going live. Because once you go live, you won't want to/may not be able to properly set up SSL.
Re:Tip from a programmer (Score:5, Interesting)
you're under some kind of deadline pressure and you can't connect to them, don't turn off SSL validation.
OR: Always turn off SSL validation, because it's totally worthless.
The problem is CAs get suberted all the time into issuing certs they shouldn't issue.
In general, the validation provided by a certificate doesn't work, and many developers and security professionals alike mistake the theoretical security benefits of validation, from the fact in reality.
SSL Certs = Maginot Line [iang.org]
Re:Tip from a programmer (Score:4, Interesting)
Why would they need to compromise your CAs? They can compromise any CA, because unless the client uses a tighter-than-normal designated requirement, it will trust any cert for your domain as long as it is signed by any of dozens of CAs. That's what makes TLS so flawed.