- Home /
WWW/WWWForm, does Unity validate SSL certificates?
I have been reading either contrasting or possibly outdated information regarding this topic.
Does Unity, in July 17th 2016, validate the SSL certificates received when communicating with an HTTPS server?
If so, can someone assure that it is immune to MITM attacks or not? And is this platform dependent or does it work regardless (e.g. Desktop, Web, Android, iOS, etc.)?
Thanks!
Answer by QuiZr · Jul 17, 2016 at 06:33 PM
According to unity script reference it does support https protocol so SSL should work on every device (except web, web can only access pages on the same server).
I've been perfor$$anonymous$$g local testing on PC (windows 10 standalone) with the 'UnityWebRequest' against https://badssl.com/.
Unity appears to not validate any parts of the certificate except for the hostname.
expired, self-signed, untrusted root, and revoked certs don't throw any errors.
This means that someone could create a self-signed certificate for your domain and potentially compromise any user they $$anonymous$$IT$$anonymous$$.
An example attack vector would be overriding the DNS for a large corporate network and pointing it at your server. You could then self-sign a cert for any domain and potentially s$$anonymous$$l passwords or session cookies.
While unity does support the encryption portion of SSL, that doesn't mean the connection is actually secure.
Your answer
Follow this Question
Related Questions
WWW/WWWForm, does Unity validate SSL certificates over HTTPS? 0 Answers
POST a form over HTTPS with unvalidated SSL Certificate 2 Answers
SSL Ciphers? How to set reliable https Rest calls? 0 Answers
WWW and SSL on Android 1 Answer
How to avoid reestablishing an HTTPS request, use Connection: Keep-Alive or reuse WWW object? 2 Answers