So NetCipher's ch.boye for a long time has included the ability to use a custom keystore. Mark and I have been thinking that this could be a good approach for a form of integrated pinning in the NetCipher wrappers for all of the various HTTP APIs (HttpURLConnection, Apache HttpClient for Android, Volley, OkHTTP, etc). The core idea would be a gradle plugin or script that downloads the Mozilla CA certificates collection, then fines the CA used by a provided HTTPS connection, then builds a custom keystore that only includes that specific CA's certificate from the Mozilla collection (turns out that Android N is including something very similar).
I'd love to hear feedback, flames, comments, etc on whether this would be a good idea both in terms of security and easy of use. .hc -- PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556 https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556 _______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
