18Mar
What is the impact of disabled TLS hostname verification?
If I have a java client that connects to a server, but in the java client code where the connection is built, it skips hostname verification disabled. When a client tries to connect to serverA.com, what is the impact if hostname verification is not enabled? Checking online, it mentions that a MITM attack is possible, however, how is this possible ? If the rogue server presents a certificate, even if there hostname is not checked, still the certificated should be signed from a CA trusted by the client no? I can't think of a way how this attack could be possible. Am I mistaken in my analysis or am I missing something?
