#Diff Apply

Our main conclusion is that SSL certificate validation is completely broken in many critical software applications and libraries. (emphasis original) Vulnerable software includes Amazon’s EC2 Java library and all cloud clients based on it; Amazon’s and PayPal’s merchant SDKs… Chase mobile banking… any Android app that uses Pusher API to manage real-time messaging (for example, GitHub’s Gaug.es), clients of Apache ActiveMQ servers…   Instant messenger clients such as Trillian and AIM do not validate certificates correctly, either. [Read More]