On 17/08/15 20:56, juice wrote: > The authenticity of the server is not so important that it definitely > requires > a true certificate, it is just enough that the communication between the > client > and the server is encrypted.
You didn't ask this, so feel free to ignore this comment... But be aware that accepting all certificates without checking does compromise encryption. Of course, any certificate can be used to create good quality encryption, but the problem with not checking the authenticity is that it exposes you to man-in-the-middle attacks. If someone can somehow insert themselves into the communication path, and offer you their own certificate, you would get perfect encryption to and from your enemy and your communication would still be exposed! > The user anyway configures the used server > by DNS > name or IP address and usually the server is controlled by the user anyway. I am not a security expert, and I recommend you contact someone who is. However, I would strongly suggest that, at the very least, you i) check the server name (so someone is forced to at least go to the effort of providing a certificate with the correct name), and ii) notify the client, and ask for confirmation, every time the certificate changes. If the server is controlled by the user they would know whether they have replaced the certificate! > Now how can I do this, so that in the client I need not preload any > certificates, > so that for example when the user changes the server address, the next > request > just goes thru encrypted, without caring whether the server certificate > is valid? Personally, I would prefer that you provide a mechanism for me to provide you with the signing CA credentials so you can check my self-signed key really was signed by me (with a default of using the normal OS-shipped trusted CAs). But I don't know what your threat model is. Graham _______________________________________________ SailfishOS.org Devel mailing list To unsubscribe, please send a mail to devel-unsubscr...@lists.sailfishos.org
