with the release of Home Assistant 0.56, we misconfigured the SSL context that aiohttp used (PR). By trying to do the right thing (use an up to date cert store instead of relying on the system certs), we ended up doing the complete opposite: SSL verification was disabled for outgoing requests that were done using the shared aiohttp session. This is our fault, and not aiohttp’s faults. The impact of this is that certain integrations in Home Assistant have been susceptible to man in the middle attacks.