On 06/09/16 11:54, Hans-Christoph Steiner wrote: > Have you run tests yet of HTTPS verification using your technique? You > can take code from the NetCipher tests if you want.
Thanks, that's a good idea. We've tried it with a few HTTPS sites but haven't done any testing in depth. > I don't remember details now, but I know that when doing tricks with how > Socket instances are created on Android, important pieces went missing, > like hostname verification. In cases like these, it is important to > remember that Android != Java. Android only promises to provide what > they document in their SDK docs, not all of Java. And many companies > choose to take that opportunity to get lazy/sloppy with their builds of > Android. Unfortunately these device-specific issues are hard to test on anything except a pile of real devices - any suggestions for how to reduce the manual testing workload? Cheers, Michael
0x9FC527CC.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
