tag:blogger.com,1999:blog-7122745763234660283.post7181654936889599710..comments2024-02-18T02:36:33.709-08:00Comments on IMQ Minded Security Blog: SSL MiTM attack in AFNetworking 2.5.1 - Do NOT use it in production!Minded Securityhttp://www.blogger.com/profile/01503616812076743415noreply@blogger.comBlogger12125tag:blogger.com,1999:blog-7122745763234660283.post-72687658035512166642015-06-25T05:36:32.870-07:002015-06-25T05:36:32.870-07:00See also:
https://github.com/AFNetworking/AFOAuth2...See also:<br />https://github.com/AFNetworking/AFOAuth2Manager/issues/98Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-20571034995995702732015-06-15T04:54:32.507-07:002015-06-15T04:54:32.507-07:00I want to more information's in your blog, Rea...I want to more information's in your blog, Really good in your networking bogs for ours.Thank for sharing.Darren Poolehttp://www.explainervideoproduction.net/our-video-production-services/explainer-video-script-writing/noreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-58261468725336853612015-05-01T00:39:01.498-07:002015-05-01T00:39:01.498-07:00If you are still using AFNetworking 1.x on new pro...If you are still using AFNetworking 1.x on new projects you have a totally different existential issue<br />If your project hasn't been updated since september/october 213, probably no one cares about your projectAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-10337378012577613122015-04-27T02:18:59.405-07:002015-04-27T02:18:59.405-07:00Is this problem applicable for AFNetworking 1.x li...Is this problem applicable for AFNetworking 1.x library too?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-39878187717317916232015-04-02T01:34:06.792-07:002015-04-02T01:34:06.792-07:00By the way, the patch referenced in this article w...By the way, the patch referenced in this article was never used... (I know because I re-made it and recognise the difference -- the patch you mention was withdrawn and re-made with some better names.). Check the commits leading to 2.5.2 and the subsequent update mentioned in these comments. Worth adding a correction/edit to the article IMO.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-38031653140388740022015-03-30T00:53:24.170-07:002015-03-30T00:53:24.170-07:00This article includes wrong information. Please fi...This article includes wrong information. Please fix it.<br />The version of less than 2.5.1 is also vulnerable, and not fixed yet in 2.5.2.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-23338972847988986222015-03-27T10:16:10.653-07:002015-03-27T10:16:10.653-07:00The validatesDomainName problem is fixed with http...The validatesDomainName problem is fixed with https://github.com/AFNetworking/AFNetworking/commit/3e631b203dd95bb82dfbcc2c47a2d84b59d1eeb4Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-45226118484471488402015-03-27T07:20:45.668-07:002015-03-27T07:20:45.668-07:00Hmm,
https://github.com/AFNetworking/AFNetworking...Hmm, <br />https://github.com/AFNetworking/AFNetworking/blob/master/AFNetworking/AFSecurityPolicy.m#L249<br />https://github.com/AFNetworking/AFNetworking/issues/2549<br /><br />The default value of validatesDomainName is NO,<br />I think that AFNetworking 2.5.2 is still vulnerable.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-75561387776259445852015-03-27T02:26:57.989-07:002015-03-27T02:26:57.989-07:00@Anonymous, thanks for the heads up! We've jus...@Anonymous, thanks for the heads up! We've just updated the post.Minded Securityhttps://www.blogger.com/profile/01503616812076743415noreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-28261207662388719262015-03-27T02:13:18.545-07:002015-03-27T02:13:18.545-07:00@Mikel , as state in our post, there's no need...@Mikel , as state in our post, there's no need for responsible disclosure since the issue was already public in AFNetworking repository, you should ask that to the guy that posted the issue on Github. :)Minded Securityhttps://www.blogger.com/profile/01503616812076743415noreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-34805004806426828432015-03-26T20:14:41.351-07:002015-03-26T20:14:41.351-07:00What about responsible disclosure?What about responsible disclosure?Mikelhttps://www.blogger.com/profile/07506586824750357480noreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-1793383508593630952015-03-26T15:25:02.665-07:002015-03-26T15:25:02.665-07:00AFNetworking 2.5.2 is the latest as of March 26, a...AFNetworking 2.5.2 is the latest as of March 26, and does not suffer from the described vulnerability.Anonymousnoreply@blogger.com