Update 2017-11-03: Some of these issues have been improved on macOS Safari (I didn’t check iOS). Original post follows.
Last week I filed three bugs with Apple regarding how Safari handles invalid certificates.
Bug #1 (Mac OS and iOS): It’s way too easy for a user to bypass a certificate warning. There’s a bunch of text no one will read and a big friendly “Continue” button. Invalid certificates are serious and should not be ignored lightly. Your average user doesn’t know this. It’s the responsibility of the browser to treat invalid certificates with appropriate gravitas. Safari fails here.
Bug #2 (iOS): After continuing through a certificate warning, the address bar displays a closed padlock icon. This falsely indicates to the user that their interactions with the page are secure.
Bug #3 (iOS): If a user continues through a certificate warning, this decision should expire at some point. Maybe if the user visits the site in a new browser window. Maybe after a certain amount of time has gone by. As far as I can tell the cert bypass is remembered indefinitely.
Combined, these three issues greatly undermine the effectiveness of https on iOS. I’d wager that it’s significantly easier to perform a man-in-the-middle attack of an https site on an iOS Safari user than an iOS Chrome user.
Apple: You’re one of the biggest companies in the world. You command huge shares of the consumer computer and mobile device markets. Fix your shit.