What tool are you using? ODK collect
What is frustrating, troubling, annoying or lacking? Missing CAcert's root in
the android store, requires manual install, which challenging for end-users.
How would you like it to work? CAcert certificate accepted.
This is detailed in
http://www.codeproject.com/Articles/826045/Android-security-Implementation-of-Se
lf-signed-SSL
As the main purpose here is supporting self-hosted ODK instances, it has to be
domain independent. Some people (erroneously) think this creates an additional
security risk as it would make it (theoretically) easier to do a MitM attack.
In practice, MitM attacks are easily executed with compromised "official"
certs, official LI certs, or unofficially redirected LI certs, which browsers
just accept anyway. The premise of the value of a commercial CA's signature
validating the server endpoint is dangerously flawed and intractably broken.
The WOT model CACert uses is far more secure and robust than the easily
corrupted commercial CA model where one compromised employee in any one of
hundreds of companies creates a global class break.
However, due to the widespread marketing efforts of the commercial CA vendors,
it is commonly believed that there is value in their high-priced security
placebo, thus accepting CACert (and possibly all self-signed certs) should be
an administration menu option and, probably, by default disabled.
Toggling the "enable" check on the admin menu is something users can be
instructed to do along with specifying a self-hosted ODK server. My preference
would be to make it default to accept a CAcert and checkbox to accept
self-signed, but I don't know how to add CAcert without making the certificate
install part of the app install and I'm not sure that's appropriate.
Therefore, from my limited expertise, I think the only expedient solution is to
add an administrator check for accepting self-signed (and CA-certs.)
I'd argue that something like Certificate Patrol (the Firefox add-on) or the
"host key change" warning built into most SSH clients is the right way to keep
users secure, and is far, far more secure than blindly trusting CAs. It is
very, very hard to ALWAYS MitM a target such that the presented certificate
never changes and tracking such changes is infinitely more secure than the
current model.
NOTE: the core team has limited ability to make software enhancements.
We rely heavily on community-contributed enhancements to the tools. If this
is something you very much need, consider hiring a developer to make the
changes with the stipulation that they work with the core team to specify
the details of the change and contribute the change back to the project
under an Apache 2 license.
Original issue reported on code.google.com by dges...@gmail.com on 23 Mar 2015 at 11:43
Original issue reported on code.google.com by
dges...@gmail.comon 23 Mar 2015 at 11:43