26 lines
1.3 KiB
Plaintext
26 lines
1.3 KiB
Plaintext
=== What is the potential impact?
|
|
|
|
Establishing trust in a secure way is a non-trivial task. When you disable
|
|
certificate validation, you are removing a key mechanism designed to build this
|
|
trust in internet communication, opening your system up to a number of potential
|
|
threats.
|
|
|
|
==== Identity spoofing
|
|
|
|
If a system does not validate certificates, it cannot confirm the identity of
|
|
the other party involved in the communication. An attacker can exploit this by
|
|
creating a fake server and masquerading as a legitimate one. For example,
|
|
they might set up a server that looks like your bank's server, tricking your
|
|
system into thinking it is communicating with the bank. This scenario, called
|
|
identity spoofing, allows the attacker to collect any data your system sends
|
|
to them, potentially leading to significant data breaches.
|
|
|
|
==== Loss of data integrity
|
|
|
|
When TLS certificate validation is disabled, the integrity of the data you send
|
|
and receive cannot be guaranteed. An attacker could modify the data in transit,
|
|
and you would have no way of knowing. This could range from subtle manipulations
|
|
of the data you receive to the injection of malicious code or malware into your
|
|
system. The consequences of such breaches of data integrity can be severe,
|
|
depending on the nature of the data and the system.
|