On Wed, 18 Jan 2012 17:05:30 -0800 (PST) Oleg Gryb wrote: > There are 180M websites in the world. Do you suggest to put 180M self- > signed certificate to a browser? Good luck with that and with > implementing CRL logic around it. > There are 500,000 android apps, the number of publishers is probably > smaller, but still I would not want to deal with each and every self- > signed certificate trying to understand if: > > 1. I want to trust it > 2. If it's associated with a malware > 3. If its private key has been compromised > > Thanks, but no, I don't want to be in this business.
I was merely explaining that your statements about self-signed were wrong and you seem to have misread what I said though I had been awake for > 36 hours when I wrote it, which was apps are different but now it's been brought up how many websites do you actually care about an assured secure connection for. On Linux app source is signed by authors via gpg which is more secure but less likely than using a signed repo. There is a major argument that EV reduces security because people see a green light (aside from spoofing especially with modern browsers since that paper), rather than checking manually and considering if they TRUST, perhaps googling it. Similar is true for Markets, more so Apples than Androids because they advertise that they audit it, though they can't of course. I'd like to see a phone still working after 500,000 apps are installed, they won't fit and your phone will probably have a saturated connection sending spam. There is no way around the fact that a user has to research an app with the only guarantee being checking the source code. There is a business there, but is it viable?? What are you trying to do? -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
