On 2009-03-02 at 05:53 -0800, Joshua Juran wrote: > Apparently Apple wants me to disable SSL so anybody using the same > hotspot can read my messages and steal my credentials. > > The security is a lie.
But, if you're on a hotspot, then you're subject to arp spoofing; one person with dsniff installed can redirect your traffic to go via their box, so when you're on wifi that's exactly when you *most* need to verify the identity of the remote site. On wifi, you're fooling yourself if you think that accepting arbitrary unverified host certs is better than nothing. Who runs the hotspot? Can't you get them to at the very least use a private CA and set that CA to trusted on your client side? That's how I manage most SSL stuff, a private CA. For most of my content, my wife and I are the only users so it's a matter of setting up the CA cert up as trusted; anyone else can choose to trust me or bugger off and not access those sites. (I finally succumbed and paid for a cheap-ass cert for the one site I've ended up pointing others to). -Phil