SSL - add an option that either requires self signed certs installed on phones or will only work with real certs

[abarrafo]

(Commentary below written by @pliablepixels)

The issue summary (see discussion below)

As of today, zmNinja allows untrusted SSL certs without needing to install them on the phone. But by doing this, it is essentially disabling SSL security checks. The problem is if you don't do this, android displays a terrifying 'the network is being monitored' warning when you install your self signed cert in the phone which freaks out regular users.

This however does not offer proper security for folks who have a paid up real cert.

So the proposal is to add a toggle to "disable SSL fix" for folks with real certs.

Note that certs need to be signed properly - there are many examples on the web where a paid up cert works on desktops but not on mobile due to signing chain issues. I'll let the user figure out all of this. I suppose if a user were to enable this option, they know what they are doing and are self-capable of fixing their cert issues.

[abarrafo]

Oops, hit submit on that before editing.

I am concerned that you accept self signed certs without installing them in the device as required in previous versions. This likely means that certificate errors are being ignored, which can pose a security risk.

I am a paid user of zmNinja, without digging through code.

My question is, how are certificate errors handled? If I front zm with a valid signed cert, will zmNinja enforce it and all of its attributes (domain name, valid CA signed..)?

Thanks

[pliablepixels]

Good question. Yes, I am ignoring SSL errors. When I first released zmNinja, I did not. The following reasons forced me to do so:

a) most users complained. The common compliant was they work on Desktops, why not on zmNinja? The problem is in Desktops you can click 'ok' and move on. On mobile devices, if you don't install a certificate it will get rejected without a callback, so I can't event handle it in the app.

b)While installing a self signed certificate worked, in later versions of Android, this message started popping up

So if you install a self-signed certificate in Android, Google decided to scare the daylights out of users.

[abarrafo]

I see why you did it. But, it does open the door for man in the middle attacks, basically defeats SSL. Maybe have a feature toggle in settings for "self signed cert" , that it defaults to "on". So if I put a real cert in front of it, I could toggle it off but leave "use SSL" on. The difference being the app decides to validate or not.

Just a thought, so users with real certificates can use them reliabily.

[pliablepixels]

I can give it a try. Given I don't have real certs, would you be willing to try? if so, please shoot me an email (pliablepixels@gmail) with the Android version you use and I could set you up with a test version