Security - Windows Phone fails to check certificate Common Names when synchronising email using SSL
Windows Phone currently suffers from a security vulnerability when synchronising email to and from POP3 / IMAP / SMTP servers using SSL, according to a recent filing over at the US-CERT (United States Computer Emergency Readiness Team) website. The issue is pinpointed to Microsoft's mobile OS not verifying CN (Common Name) of server certificates when connecting to servers using SSL.
This opens up a potential threat from a man-in-the-middle attack, which would enable someone to view login or session data in the corresponding protocol (SMTP, POP3, etc.) Good news is Microsoft is reportedly aware of the security vulnerability and plans to release an update to address the issue.
Microsoft is looking to crank up security in its products, particularly Windows Phone 8. We've previously looked at how the company will be improving security in the next major version of Windows Phone.
Source: US-CERT; thanks, Yotsuba, for the heads up!
Get the Windows Central Newsletter
All the latest news, reviews, and guides for Windows and Xbox diehards.
Rich Edmonds was formerly a Senior Editor of PC hardware at Windows Central, covering everything related to PC components and NAS. He's been involved in technology for more than a decade and knows a thing or two about the magic inside a PC chassis. You can follow him on Twitter at @RichEdmonds.