- From: Chris Palmer <palmer@google.com>
- Date: Thu, 18 Dec 2014 16:17:44 -0800
- To: michael.martinez@xenite.org
- Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, "public-webappsec@w3.org" <public-webappsec@w3.org>, security-dev <security-dev@chromium.org>, mozilla-dev-security@lists.mozilla.org, blink-dev <blink-dev@chromium.org>
On Thu, Dec 18, 2014 at 4:08 PM, Michael Martinez <michael.martinez@xenite.org> wrote: > A Study of SSL Proxy Attacks on Android and iOS Mobile Applications > http://harvey.binghamton.edu/~ychen/CCNC2014_SSL_Attacks.pdf That paper describes bugs in the certificate validation procedures *of specific clients*. (Note that the authors call out the fact that the clients in question are *not* browsers.) That doesn't mean the protocol is fundamentally flawed; it means those particular non-browser clients have bugs. If you can find such a bug in Chrome (or Firefox, or other browser), you should report the flaw to the vendor. Google offers money in reward for such findings: https://www.google.com/about/appsecurity/chrome-rewards/index.html If you can find one, we would consider such a finding to be a high-priority bug.
Received on Friday, 19 December 2014 00:18:12 UTC