Marcel, Are you saying that CordovaWebviewClient.onReceivedSslError can’t get the actual cert?
Oh… the SslCertificate object returned by SslError.getCertificate is mostly about the DN. *sigh* I’ll have a look and see if I can come up with something. Back to the proverbial. - tommy On 24 Jan 2014, at 4:34 am, Marcel Kinard <cmarc...@gmail.com> wrote: > Although Moxie's point may be a bit radical, I think it is a valid scenario. > > It would be nice implement this. I'd even be willing to do it, since I have a > customer that wants this too. I'm familiar only with Android, but I'm still > struggling to see a way to do this there: the > CordovaWebViewClient.onReceivedSslError method will get called only for > self-signed certs (so it doesn't cover the full pinning scenario that has a > valid CA), but even if you are OK with that the cert data available doesn't > include the server's public key (the self DN and issuer DN isn't > authoritative enough to do the pin comparison). > > If there are implementation alternatives I'm missing, I'm all ears. > > On Jan 22, 2014, at 8:08 PM, Tommy-Carlos Williams <to...@devgeeks.org> wrote: > >> I am reconsidering the “deal breaker” status of only working with >> self-signed certs. >> >> In one of the articles I have been using as a reference[1], Moxie >> Marlinspike actually prefers the option of doing away with the CAs entirely >> for mobile apps and doing exactly that[2]. >> >> I can certainly think of a way that it would work better for our use case. >> The only use case harmed would be wanting to pin the certs of third party >> services like Parse, etc. >> >> I guess it comes down to… is it better to do something for some people than >> nothing for anyone. If it could be done in a way that only impacted those >> that opted in, surely the former beats the latter. >> >> - tommy >> >> >> >> 1. >> http://www.thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/ >> 2. >> http://www.thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/#option_1_wipe_the_page_clean >
