Severely broken handling of SSL/TLS certificates?
Posted: Thu Nov 20, 2014 9:08 amHi All,
I have tried to connect to several HTTPS web site using the web browser included in the SmartTV simulator (part of the SDK).
To my astonishment, I found that the SmartTV web browser happily connects to any HTTPS web site regardless of the SSL Server certificate being untrusted, revoked, or even expired.
Unless this behaviour is a known limitation of the SDK, not found on real Smart TVs, this is a huge security hole that should be fixed quickly.
Can anybody explain what trusted CAs are embedded in the SDK (and in real TVs, if those are different) ?
And how come the SmartTV specification does not address this issue?
-- Adriano
I have tried to connect to several HTTPS web site using the web browser included in the SmartTV simulator (part of the SDK).
To my astonishment, I found that the SmartTV web browser happily connects to any HTTPS web site regardless of the SSL Server certificate being untrusted, revoked, or even expired.
Unless this behaviour is a known limitation of the SDK, not found on real Smart TVs, this is a huge security hole that should be fixed quickly.
Can anybody explain what trusted CAs are embedded in the SDK (and in real TVs, if those are different) ?
And how come the SmartTV specification does not address this issue?
-- Adriano