chax
commented
6 years ago I know this is already merged, but here is an example where you would need self signed certificate and you don't have a possibility of using CA to make valid trusted certificate.
Imagine this, you have a device which has REST API and it's only accessible locally over LAN. Since it is local device, it has a local IP address, but doesn't have domain. You still want to use SSL for this REST API, that is, access it over HTTPS. Since it has only local IP address and no domain, it's impossible for CA to issue certificate and our only option is to use self signed certificate.
davidperrenoud
Oh boy. Here's a controversial change.
Let's give a bit of backstory.
A few weeks ago, Facebook was contacted by a whitehat hacker (the good guys) about a security vulnerability here in SocketRocket.
For those of you who are truly interested in what that security flaw was, it is essentially the same flaw as outlined here:
https://www.synopsys.com/blogs/software-security/ineffective-certificate-pinning-implementations/
So, we were faced with a choice - quietly push out a patch, and hope that eventually existing applications updated, or be transparent and admit we screwed up.
This is us admititng we screwed up. And while yes, we could probably fix the implementation. But we talked internally, and decided that the best approach here is to completely remove the option for pinning.
For all of our existing users that use certificate pinning, while we understand that in the past there has been a very large barrier to entry with getting a CA to issue a certificate.
However, since the rollout of CAs like LetsEncrypt, there's become an ever-dwindling reason to actually use self-signed or unsigned certificates.
For this reason, we're going to go ahead and deprecate the APIs that allow SSL pinning and disabling trust chain verification. The pinning APIs are now going to throw an exception when invoked, and the trust chain APIs have deprecation warnings.
If you are a user of these APIs, and you for some reason CANNOT use a trust chain validated certificate, PLEASE speak up. While we cannot think of any reason to use those kinds of certificates, it's entirely possible we overlooked something. We'll leave this pullrequest unmerged for a two week period (Monday, August 28th, 2017), at which point, unless we have feedback convincing us otherwise, we will go ahead with this change.