Author: Mike Hearn 2014-08-08 09:53:24
Published on: 2014-08-08T09:53:24+00:00
Certificate validation is deemed unnecessary unless an attacker can directly perform a man-in-the-middle attack during connection time which is more difficult to maintain than injecting a client.reconnect. It is pointed out that the TCP connection will be reset once the route reconfiguration is completed by the MITM server or by the client TCP stack when it discovers that the server no longer knows about the connection. However, utilizing TLS without certificate validation defeats its purpose since one can still be connected to a MITM at any point by anyone who can disrupt or corrupt the stream and force a reconnect.
Updated on: 2023-06-09T01:58:23.588204+00:00