> That's pretty much what I'm doing. I have a self-signed certificate
> on this one game I built and this method works fine with that.
If it seems to work, that doesn't mean it's right or secure.
> It doesn't matter who signed your cert (especially these days) so as long
> as you're hitting an https url. It's the encryption you care about,
> not the certificate authority who signed off on it.
>
This, too, is wrong. While I agree that most CAs add little value, because
they hardly do any verification before issuing your $5 cert (you get what you
pay for), 'hitting an https url' is not enough. Encryption without
authentication
is worthless: who cares if your data stream uses unbreakable 10000-bit quantum
encryption, if you are sending the data to the wrong place? (say, an attacker,
instead of PayPal). Even if you use your own CA, or a self-signed certificate,
you *have* to make sure the server you are talking to is using *that
particular*
self-signed certificate, otherwise you are just wasting your time.
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
No comments:
Post a Comment