koobas.hobune.stream
WWW/WWWForm, does Unity validate SSL certificates?
I have been reading either contrasting or possibly outdated information regarding this topic.
Does Unity, in July 17th 2016, validate the SSL certificates received when communicating with an HTTPS server?
If so, can someone assure that it is immune to MITM attacks or not? And is this platform dependent or does it work regardless (e.g. Desktop, Web, Android, iOS, etc.)?
Thanks!
According to unity script reference it does support https protocol so SSL should work on every device (except web, web can only access pages on the same server).
I've been perfor$$anonymous$$g local testing on PC (windows 10 standalone) with the 'UnityWebRequest' against https://badssl.com/.
Unity appears to not validate any parts of the certificate except for the hostname.
expired, self-signed, untrusted root, and revoked certs don't throw any errors.
This means that someone could create a self-signed certificate for your domain and potentially compromise any user they $$anonymous$$IT$$anonymous$$.
An example attack vector would be overriding the DNS for a large corporate network and pointing it at your server. You could then self-sign a cert for any domain and potentially s$$anonymous$$l passwords or session cookies.
While unity does support the encryption portion of SSL, that doesn't mean the connection is actually secure.
