Although Moxie's point may be a bit radical, I think it is a valid scenario.
It would be nice implement this. I'd even be willing to do it, since I have a customer that wants this too. I'm familiar only with Android, but I'm still struggling to see a way to do this there: the CordovaWebViewClient.onReceivedSslError method will get called only for self-signed certs (so it doesn't cover the full pinning scenario that has a valid CA), but even if you are OK with that the cert data available doesn't include the server's public key (the self DN and issuer DN isn't authoritative enough to do the pin comparison). If there are implementation alternatives I'm missing, I'm all ears. On Jan 22, 2014, at 8:08 PM, Tommy-Carlos Williams <to...@devgeeks.org> wrote: > I am reconsidering the “deal breaker” status of only working with self-signed > certs. > > In one of the articles I have been using as a reference[1], Moxie Marlinspike > actually prefers the option of doing away with the CAs entirely for mobile > apps and doing exactly that[2]. > > I can certainly think of a way that it would work better for our use case. > The only use case harmed would be wanting to pin the certs of third party > services like Parse, etc. > > I guess it comes down to… is it better to do something for some people than > nothing for anyone. If it could be done in a way that only impacted those > that opted in, surely the former beats the latter. > > - tommy > > > > 1. > http://www.thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/ > 2. > http://www.thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/#option_1_wipe_the_page_clean
