Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Make sure SetupBlogTask do not ask for 'trust SSL' on wpcom #993

Closed
daniloercoli opened this Issue Feb 27, 2014 · 1 comment

Comments

Projects
None yet
2 participants
Contributor

daniloercoli commented Feb 27, 2014

We should probably avoid asking the user to trust the certificate if the connection is with wpcom. Wrong certificate, MITM.

@daniloercoli daniloercoli added this to the 2.7 milestone Feb 27, 2014

Contributor

maxme commented Feb 28, 2014

That can't happen, to check:

  1. DNS spoof wordpress.com and redirect it to a server with a 443 port open and serving a https server.
  2. Add a wpcom blog as a self hosted (by entering wordpress.com in the self hosted url text box)
  3. Try to login

That fails with an error, because the exception raised by Volley is not the same we use to detect self signed certificate.

Still added a check in df64bdf

@maxme maxme added a commit that referenced this issue Feb 28, 2014

@maxme maxme fix #993: be sure do never ask the user to trust an erroneous ssl cer…
…tificate for wordpress.com domain
df64bdf

@daniloercoli daniloercoli closed this in #995 Feb 28, 2014

@daniloercoli daniloercoli added a commit that referenced this issue Feb 28, 2014

@daniloercoli daniloercoli Merge pull request #995 from wordpress-mobile/issue/993-wpcom-ssl
fix #993: be sure to never ask the user to trust an erroneous ssl certificate for wordpress.com domain
290e1f5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment