Re: [android-developers] SSL Android

On Mon, Sep 26, 2011 at 12:13 PM, Greg Donald <gdonald@gmail.com> wrote:
> On Sun, Sep 25, 2011 at 8:28 PM, Nikolay Elenkov
> <nikolay.elenkov@gmail.com> wrote:
>> This, too, is wrong. While I agree that most CAs add little value, because
>> they hardly do any verification before issuing your $5 cert (you get what you
>> pay for), 'hitting an https url' is not enough. Encryption without
>> authentication
>> is worthless: who cares if your data stream uses unbreakable 10000-bit quantum
>> encryption, if you are sending the data to the wrong place?
>
> My Android game is the only client of my self-signed setup.  I do not
> need to worry about data going to the wrong place, I do not process
> credit cards or interact with anything but the game client.  I'm not
> buying into the CA racket for such a non important thing as an Android
> game.  Self-signed is fine for this case.  The server and it's streams
> to my Android app are just as secure if I had spent the CA money.

You are not reading what I wrote. Calm down, and read it again. Nowhere
did I say that you need to 'buy into the CA racket'. What I said is that,
If you don't check the server certificate, there is little value in using
encryption alone (because you are vulnerable to a man-in-the-middle attack).
That fact that you don't care, doesn't change that. If your game is not
important, why are you using SSL in the first place? Self-signed is
indeed fine, but you have to at least validate the server certificate to
make sure it's your own certificate, and therefore server.

>
> And while you're freaking out over me not paying the CA money, I'll
> add..

See above, I am not.

> And finally, I have another Android project at my day job.  I use an
> actual CA cert for that.  We have client data being passed.  It
> matters there, not to mention I don't want to field calls from people
> like yourself freaking out over the little browser thingy not glowing
> green or whatever the latest CA eye-candy enticements may be this
> month.

You are still missing the point. 'An actual CA' can be a commercial CA,
or it can be your own private CA. If a private CA makes sense for you,
by all means use one. But you still need to validate your certificates,
or the whole SSL exercise become pretty much pointless.

Another thing: people like yourself, who don't understand the technology
involved, shouldn't be trying to give advice about it.

--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en