Great, now would the android team please implement some basic user cert management so that your users can gain some direct control of their trust choices?
http://code.google.com/p/android/issues/detail?id=11231 I would have expected something this basic to have been supported in the first shipped version of Android, and in any case it's been reported for more than two and a half years... since the day after the G1 went on sale: http://code.google.com/p/android/issues/detail?id=1016 On Mar 30, 2011, at 4:21 PM, Nick Kralevich wrote: > Hi Peter, > > FYI: We have released a patch which addresses the Comodo root CA compromise. > The patch is available at > > http://android.git.kernel.org/?p=platform/external/bouncycastle.git;a=commit;h=3ab12958718f17e48e2816a84d403f6305cc2800 > > and will be pushed to Google managed devices (Nexus S, Nexus One) on the next > OTA. As always, we strongly encourage Android OEMs to incorporate this patch > into their build. > > Take care, > -- Nick Kralevich > Android Security Team > > On Thu, Mar 24, 2011 at 9:18 AM, peterw <[email protected]> wrote: > BTW, anyone interested in the CA PKI model really ought to read Jacob > Appelbaum's account of a recent incident in which a Comodo sub-CA was > used to issue bogus certs for Google, Microsoft, Yahoo, Mozilla, and > Skype hostnames: > > https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion > > Dianne can stop reading now because she knows what's next. Typical > Android users are likely out of luck, forced to wait until the Android > team merges the blacklist patch from Chromium *and* releases new dot > versions of Android OS *and* the device manufacturers update firmwares > (*and* in the US and similar countries, the cell phone companies bless > the new firmwares). This is another example of Android's OS & update > design flaws, that Google can't push even such a small, > straightforward fix out to all Android end users. :-( > > -Peter > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > > > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
