<nikolay.elenkov@gmail.com> wrote:
> This, too, is wrong. While I agree that most CAs add little value, because
> they hardly do any verification before issuing your $5 cert (you get what you
> pay for), 'hitting an https url' is not enough. Encryption without
> authentication
> is worthless: who cares if your data stream uses unbreakable 10000-bit quantum
> encryption, if you are sending the data to the wrong place?
My Android game is the only client of my self-signed setup. I do not
need to worry about data going to the wrong place, I do not process
credit cards or interact with anything but the game client. I'm not
buying into the CA racket for such a non important thing as an Android
game. Self-signed is fine for this case. The server and it's streams
to my Android app are just as secure if I had spent the CA money.
And while you're freaking out over me not paying the CA money, I'll
add.. I've worked for several employers who hosted their own in-house
email and such and self-signed certs are very popular in those
instances. I know of two major health care providers in my town who
use self-signed certs for PHI.
And finally, I have another Android project at my day job. I use an
actual CA cert for that. We have client data being passed. It
matters there, not to mention I don't want to field calls from people
like yourself freaking out over the little browser thingy not glowing
green or whatever the latest CA eye-candy enticements may be this
month.
--
Greg Donald
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
No comments:
Post a Comment