After reading Dans' recent blogs, I started poking around and checking out how some other non-browser SSL clients handle invalid certificates.
First up, ITunes. I fired up TSeeP with a self signed certificate, and started MITMing phobos.apple.com. The result:
Hmm. Pretty vague. Error -9812.
Next, I tried my trusty revoked login.live.com cert, just to see what would happen. The revoked certificate generated:
Error -9808. Another vague one. Ok, lets Google "itunes 9808".
First hit: http://soccerislife8.blogspot.com/2008/02/itunes-error-9808.html
That page tells you to follow another link to: http://techupdate.blogvis.com/2008/02/09/itunes-error-9808/
The second link is where the "fix" for error 9808 is. From the blog post:
Also under Security make sure that the “Check for server certificate revocation (requires restart)” is unchecked. Then click ok and fire up iTunes.
One of the many comments:
I had the same problem and unchecked the “Check for server certificate revocation (requires restart)”.
It works. Thank You.According to the comments, there are a number of folks who might come across such a vaguely worded error message, look to Google for help, and follow these instructions without a second thought that they could be degrading their own security.
In short, if you're responsible for an application that acts as an SSL client, it is not enough to just perform certificate validation. When certificates turn out to NOT be valid, you need to act appropriately, prevent the connection, and WARN the user.
A better version of the Itunes invalid cert messages:
"SECURITY WARNING: There has been a problem validating the identity of an Itunes server. If you are using a public network, please connect to the Internet over a trusted connection such as your home or office network, and try again. If problems persist, reach out to your technical support contact for your Internet connection."