Installing a custom SSL root certificate feels like such a good idea. Not. But I... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		pilif on July 13, 2012 \| parent \| context \| favorite \| on: Apple’s in-app purchasing process circumvented by ... Installing a custom SSL root certificate feels like such a good idea. Not. But I guess in order to get something for free, people are willing to go great lengths in compromizing their security. Remember: By installing that guys SSL root certificate, you basically allow them to MITM not just the App store in-app purchasing (and by extension likely sniff your app store password) but also any other SSL protected site like, say, your webmail provider.

dfc on July 13, 2012 [–]

As long as your browser does not pin certificates.

pilif on July 13, 2012 | [–]

Which safari on iOS doesn't do. Nor does the AppStore app. Obviously. Otherwise, this site wouldn't work

dfc on July 13, 2012 | | [–]

I was referring to the browser sniffing webmail. Is the appstore a browser? I thought it was an application.

ary on July 13, 2012 | | [–]

Applications outside of browsers use SSL.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact