[android-developers] Re: Webview + self signed ssl cert
..or you have a known safe channel (such as adb or local secured/trusted wifi) you can use to get the cert the first time. And what does that have to do with "how do I do this" anyway? On Mon, May 25, 2009 at 11:02 AM, Mike Hearn wrote: > >> The server and url in question is private and no one apart from myself >> will ever use it. Personally, I can't see the point of getting a >> proper signed certificate for this. > > Well, read the link I sent. If you're using encryption, presumably > you're worried about somebody attempting to snoop your traffic. If > you're worried about that, then self-signed certificates are something > to avoid, unless you can hard code the certificate in your app then > check it against what the WebView received, but i'm not sure there's > an API for that. If you're not worried about MITM attacks then you > don't need encryption (bear in mind 3G is already encrypted). > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: Webview + self signed ssl cert
> The server and url in question is private and no one apart from myself > will ever use it. Personally, I can't see the point of getting a > proper signed certificate for this. Well, read the link I sent. If you're using encryption, presumably you're worried about somebody attempting to snoop your traffic. If you're worried about that, then self-signed certificates are something to avoid, unless you can hard code the certificate in your app then check it against what the WebView received, but i'm not sure there's an API for that. If you're not worried about MITM attacks then you don't need encryption (bear in mind 3G is already encrypted). --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: Webview + self signed ssl cert
Al, I really wouldn't bother with self-signed certificates for obvious reasons. If you are looking for little or no cost you could try a free cert from here: http://www.startssl.com/?app=0 Mind you I haven't tested a cert from startssl so please let us know if they work :-) Hope this helps Al wrote: > Mike, I missed your reply, it must have been posted while I was still > replying. > > The server and url in question is private and no one apart from myself > will ever use it. Personally, I can't see the point of getting a > proper signed certificate for this. But regardless, it should be > possible to to handle this sort of thing in webview. > > On May 24, 10:22 pm, Mike Hearn wrote: > >> Don't use self signed certs?http://www.gerv.net/security/self-signed-certs/ >> >> There's a reason they are treated as an error I appreciate it may >> *seem* like you're adding security without any cost, but you really >> aren't, especially on a phone where MITM attacks are a whole lot more >> feasible than a wired connection. >> > > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: Webview + self signed ssl cert
Mike, I missed your reply, it must have been posted while I was still replying. The server and url in question is private and no one apart from myself will ever use it. Personally, I can't see the point of getting a proper signed certificate for this. But regardless, it should be possible to to handle this sort of thing in webview. On May 24, 10:22 pm, Mike Hearn wrote: > Don't use self signed certs?http://www.gerv.net/security/self-signed-certs/ > > There's a reason they are treated as an error I appreciate it may > *seem* like you're adding security without any cost, but you really > aren't, especially on a phone where MITM attacks are a whole lot more > feasible than a wired connection. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: Webview + self signed ssl cert
I have checked the browser, but it uses a method not available in the
sdk to handle ssl errors. Inside TabControl.java, it has this:
private class SubWindowClient extends WebViewClient {
.
@Override
public void onReceivedSslError(WebView view, SslErrorHandler handler,
SslError error) {
mClient.onReceivedSslError(view, handler, error);
}
.
onReceivedSslError isn't a method available in the sdk, which is how I
assume you would handle this sort of problem.
http://developer.android.com/reference/android/webkit/WebViewClient.html
On May 24, 10:14 pm, Mariano Kamp wrote:
> When I have issues like that I check how the built-in browser handles the
> url.
>
> On Sun, May 24, 2009 at 10:47 PM, Al wrote:
>
> > Hi, I'm using webview to try and load a url over a https connection,
> > but all I get is a blank page. I've set up my WebViewClient and
> > overrode the error and page loading started methods. The debug
> > messages show the page is being loaded and InetAddress shows it made
> > the made lookup but no content is shown and no error is thrown. I've
> > tried loading a non-ssl page, which worked fine.
>
> > I've had a look at the webkit package and it has a SslErrorHandler
> > class, but I can't find anyway to hook onto it's methods. I've also
> > had looked at the android browser code and it overrides a method not
> > found in the sdk.
>
> > So does anyone know how I can load up an SSL site which uses a self
> > signed cert in a webview?
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers-unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
-~--~~~~--~~--~--~---
[android-developers] Re: Webview + self signed ssl cert
Don't use self signed certs? http://www.gerv.net/security/self-signed-certs/ There's a reason they are treated as an error I appreciate it may *seem* like you're adding security without any cost, but you really aren't, especially on a phone where MITM attacks are a whole lot more feasible than a wired connection. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: Webview + self signed ssl cert
When I have issues like that I check how the built-in browser handles the url. On Sun, May 24, 2009 at 10:47 PM, Al wrote: > > Hi, I'm using webview to try and load a url over a https connection, > but all I get is a blank page. I've set up my WebViewClient and > overrode the error and page loading started methods. The debug > messages show the page is being loaded and InetAddress shows it made > the made lookup but no content is shown and no error is thrown. I've > tried loading a non-ssl page, which worked fine. > > I've had a look at the webkit package and it has a SslErrorHandler > class, but I can't find anyway to hook onto it's methods. I've also > had looked at the android browser code and it overrides a method not > found in the sdk. > > So does anyone know how I can load up an SSL site which uses a self > signed cert in a webview? > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
