This is an automated email from the ASF dual-hosted git repository.
erisu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cordova-docs.git
The following commit(s) were added to refs/heads/master by this push:
new c971dbc docs: Security revisements (#1109)
c971dbc is described below
commit c971dbc136948b044c5aaf1c6be7d119f57d7e4d
Author: Norman Breau <nor...@normanbreau.com>
AuthorDate: Fri Aug 7 04:31:27 2020 -0300
docs: Security revisements (#1109)
---
www/docs/en/dev/guide/appdev/security/index.md | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/www/docs/en/dev/guide/appdev/security/index.md
b/www/docs/en/dev/guide/appdev/security/index.md
index 6e87d7d..dc965b8 100644
--- a/www/docs/en/dev/guide/appdev/security/index.md
+++ b/www/docs/en/dev/guide/appdev/security/index.md
@@ -53,11 +53,21 @@ There are ways to approximate certificate pinning, such as
checking the server's
There are also plugins that can do true certificate pinning for some
platforms, assuming your app is able to do all of its network requests using
the plugin (i.e.: no traditional XHR/AJAX requests, etc).
+## Using TLS/SSL
+
+If your app communicates to an external server, it should be communicating
using modern encryption standards. Use `https` protocol whenever possible.
+
+[Let's Encrypt](https://letsencrypt.org/) is a free, automated, and open
certificate authority provided by the nonprofit [Internet Security Research
Group](https://www.abetterinternet.org/). Let's Encrypt will offer free
standard certificates, which will be sufficient for most developers. Enterprise
organizations may still want to use a traditional certificate authority that
offers more advanced features such as [Organization
Validation](https://en.wikipedia.org/wiki/Public_key_certifica [...]
+
+It is also important to keep up to date with security standards as they change
over time. What might be acceptable SSL/TLS configuration today may not be
acceptable years in the future. Using tools to test your certificate and
SSL/TLS configuration should be done regularly. [SSL
Labs](https://www.ssllabs.com/ssltest/) is a free online service provided by
Qualys, Inc to test your server's SSL/TLS configuration and encryption
strength, in addition to supported platforms.
+
## Self-signed Certificates
Using self-signed certificates on your server is not recommended. If you
desire SSL, then it is highly recommended that your server have a certificate
that has been properly signed by a well-known CA (certificate authority). The
inability to do true certificate pinning makes this important.
-The reason is that accepting self-signed certificates bypasses the certificate
chain validation, which allows any server certificate to be considered valid by
the device. This opens up the communication to man-in-the-middle attacks. It
becomes very easy for a hacker to not only intercept and read all communication
between the device and the server, but also to modify the communication. The
device will never know this is happening because it doesn't verify that the
server's certificate is [...]
+The reason is that accepting self-signed certificates bypasses the certificate
chain validation, which allows any server certificate to be considered valid by
the device. This opens up the communication to man-in-the-middle attacks. It
becomes very easy for a hacker to not only intercept and read all communication
between the device and the server, but also to modify the communication. The
device will never know this is happening because it doesn't verify that the
server's certificate is [...]
+
+If the application is to be used only within a trusted network, such as an
internal corporate network. Using self-signed certificates may be acceptable,
however the public certificate should be pre-installed on the device(s) that
will be running the application. A trusted third-party certificate authority
will always be preferable.
The principles described here are not specific to Apache Cordova, they apply
to all client-server communication.
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cordova.apache.org
For additional commands, e-mail: commits-h...@cordova.apache.org
