The most dangerous code: Validating SSL certs in non-browser software (2012) [pdf]
Summary
This 2012 paper investigates why validating SSL certificates in non-browser software is a critical security flaw. It highlights common misconfigurations and insecure defaults that enable man-in-the-middle attacks, and it argues for using standard TLS libraries with correct hostname and chain validation. The work offers practical best practices and real-world examples to improve TLS validation across non-browser applications.