On Wed, 18 Jan 2012 09:05:47 -0800 (PST) Oleg Gryb wrote: >>you probably know that all major browsers are per-packaged >>with trusted CA's public certs and I can't imagine what would you do >>if everybody was using self-signed certs.
Actually it just makes it easy but less secure. I know of a site that uses a self-signed certificate, publishing his fingerprint for this very reason. In the case of web, domain control is the main thing that is verified by another service, this doesn't apply to apps. > If you don't know anything about a signer and don't have anyone > to ask about him, which is the case with self-signed certs, then you > should not really trust to the content provided in its fields. Please, what enterprise... wool pulling at best. Do you only use certified firewalls, despite the remote root exploits like Cisco's crap by any chance? Okay so someone can revoke a certificate, reducing the blatantness of a likely hacked device. What *MAGIC* do you think a CA does other than provide a false sense of security which is worse than NO security. Do you trust a website because you see some pretty green EV icon no matter what your environment/network or what the domain is?? becuase a lawyer or accountant! is supposed to have verified some company he knows nothing about and websites are where CA's have *some* use for users. CAs do mean that you are giving out the ability to impersonate you, FACT and so this is less secure in this case than self signed. If your system is more secure than the CAs, (quite possible) then you are reducing your users security by using a CA. If the authors system is the weakpoint well the authors trojaned crap will get signed anyway. I wonder how many trojans/malware actually get found, bringing revocation to bear, I'd suggest just the blatant, dime a dozen ones!!! that you can usually spot in the market because it's a free version of Worms etc.. Market side yeah, make attackers do more work and allow remote deletion etc. but this has NOTHING to do with a user trusting an app, the same as despite Googles best efforts, unfortunately the permissions have little to do with a user trusting an app (currently and likely for atleast a long time). You don't trust a signer, you trust an author/source with best practice being checking and building apps from source and self-signing an app or checksum with your own offline key. Trust no-one especially not big companies that do fsck all and have employees that use their date of birth as their password for everything and can be a stepping stone (RSA, Google, CAs, dumb sh*t (easily avoided), but there you go). Self signed is not a questionable practice, you just have to verify the apps particular key is safe, this is far more secure. What are you trying to do, something GENERIC rather than specific? -- Kc -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
