- Maintaining a set of certificates is hard (especially on apps and IOT devices).
- It’s much easier just to accept any certificate (or certificates that sign themselves)
Question
What’s the problem ?
- If the client accepts the self-signed certificates, then it’s easy to man-in-the-middle.
- This has been shown to happen a lot in devices and code that use TLS!