On Apr 4, 2014, at 3:12 PM, Traun Leyden <[email protected]> wrote:
> I think that site must be using a self-signed certificate, or is using a > certificate that is not signed by a "standard" certificate authority that's > pre-shipped with the http client libs. > There's a way to plugin a custom SSLSocketFactory that should allow you to > circumvent the issue: Putting on my security hat (made of tinfoil): If you do this, be cautious. Do not override SSL verification to always succeed, or to check only the hostname. The right thing to do is to embed your server's self-signed cert, or the nonstandard root cert that signed it, into your app and tell the SSL verifier to use that as a trusted cert. Otherwise you leave yourself open to various forms of man-in-the-middle attack where someone with control over the app's DNS (i.e. via a hacked WiFi router) can point it to a fake server. This isn't just hypothetical. If you've seen recent headlines about "Thousands of iOS and Android apps found vulnerable to SSL attacks", this is what they're talking about. There are real-world WiFi router hacks that do this for some servers used by popular apps, and it's not impossible that someone might do it to you if your app gets popular enough... --Jens -- You received this message because you are subscribed to the Google Groups "Couchbase Mobile" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/mobile-couchbase/EF408235-9616-41D9-ACE6-31C44719FFD6%40couchbase.com. For more options, visit https://groups.google.com/d/optout.
