On Thu, 19 Jan 2012 14:54:01 -0800 (PST) Oleg Gryb wrote: >>self-signed cert is not a "hard" >>requirement, but rather a questionable practice and in this regard, >>The whole idea of CA is that everybody knows and trusts them and >>relies on them when something needs to be verified about a less known >>3-rd party.
This is what yanked my chain. It has nothing to do with trust it simply helps you to know that you are connecting or receiving data from a source (domain) that you must verify yourself. CAs help with websites not with trust of the site (ignore EV) but that your connection is to that domain, this is very different from apps especially where an app may be spoofed via a similar name. Maintaining a personal list of trusted authors would be better. > So each time when somebody wants to connect to a new website you > suggest to check it manually, probably by googling or by cheeking an > author's background. Interesting approach, but I think, it'll hardly > work for 99% of people including myself. > In fact you should consider if you trust a website before connecting in plain text which is why emails are so dangerous because you don't choose the links your given. That is the case, just understand that you are running on luck and hopefully (*for you* and most likely) the malware is attacking others and not you except for your local resources. This is one of the reasons aside from I expect microsoft wanting you to upgrade your hardware and buy a new Windows as to why Windows slows down over time a lot more when it's an online machine. Did you know attackers disable other malware and patch the hole they used to get in before Microsoft as they want your resources to themselves without you reinstalling. > The same is true about mobile apps and yes, I do care about all 180M > web sites and 500,000 android apps simply because I have no idea which > website I'll need to visit tomorrow or which app to download to my > device. At the time when I need them, most likely I won't have time to > verify anything, so I'll need to rely on somebody or something, be it > Android market or a CA. You still haven't understood, websites and apps are very different. Security is all about specifics. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to android-security-discuss@googlegroups.com. To unsubscribe from this group, send email to android-security-discuss+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
