Accept self-signed certificates


  • developer

    FOOD FOR THOUGHT: Forget about MITM as an excuse for NOT correcting the self-signed certs issue.

    AFAIK, there is no self-signed certs issue. It works fine with self-signed certs, and I recommend using them when you don't want to get a cert from a public CA. Where is the issue?

    TO ALLOW SELF-SIGNED on Android... you gotta substitute your own HttpClient interface.

    You mean: to allow self-signed certs in DAVdroid. To allow them on Android, you have to import them like described on the DAVdroid home page.

    Again: Where's the issue?

    Also, place a configuration checkbox on the setup screen to ignore invalid certs so you can turn it on or off. Risk of MITM is assumed by the user.

    SSL without certficate checks (this is something other than allowing self-signed certs) is not only absolutely useless but actually dangerous because one might think data are transmitted securely. Would you like to have a "Disable brakes" switch in your car? I wouldn't. If you don't care about security, use HTTP – it's exactly as secure as HTTPS without certificate checks.

    You forgot that the cellphone companies along with Google make backup copies of all your data (including your private keys?) to their own servers with the Android Backup API. So, if you want security... don't use a cellphone!

    For info about the Backup API, please see here: https://developer.android.com/google/backup/index.html

    »In order to use Android Backup Service, you must register your app with the service to receive a key that you must include in your Android manifest.«

    DAVdroid is not registered with the Backup API; it's data won't be stored. Calendar and contact data may be, but that's not our responsibility and I can only advise to not use that service.

    HINT #1: Why does Google Play require a GMail account?

    Question #1: Why do I use CyanogenMod without GApps, thus without Google Play? 🙂

    HINT #3: Real world: Verizon and ATT can restore your phone and data when you sign a new contract with a new phone? ADVICE: TAKE THE HINT.)

    Can you restore a DAVdroid account? If the answer is yes, you would have to erase this spying firmware as soon as you get the phone and replace it by a free Android flavour (CyanogenMod, Replicant). I also strongly recommend to have a look in the source code; for instance, you might audit the Backup API and then tell us if it really does what it should (and not more than that).



  • SSL without certficate checks (this is something other than allowing self-signed certs) is not only absolutely useless but actually dangerous because one might think data are transmitted securely. Would you like to have a "Disable brakes" switch in your car? I wouldn't. If you don't care about security, use HTTP – it's exactly as secure as HTTPS without certificate checks.

    I disagree here. Using plain HTTP leaves you open to interception by any passive attacker, e.g. someone sniffing the local coffee shop's open wifi network. Using HTTPS without certificate checks at least requires an active attacker MITM'ing your connection before your data is exposed. Just like most physical locks are easily breakable, that doesn't mean they are completely useless.

    At this point any implementation at all would be a welcome change; for now most friends & colleagues that I managed to convert away from google are stuck syncing davdroid over plain HTTP, because importing a custom certificate in Android is non feasible for the average user (see many of the comments above).



  • AFAIK, there is no self-signed certs issue. It works fine with
    self-signed certs, and I recommend using them when you don't want to get
    a cert from a public CA. Where is the issue? <<<

    YES, THERE IS A PROBLEM--IT DOESN'T WORK (even after import). A server certificate,
    signed by a PRIVATE RA or CA returns an error on JellyBean AND REFUSES
    TO CONNECT -- IMPOSSIBLE. Also, Subject Alt Names aren't recognized.
    "I/O error... hostname,... blah, blah, blah". Self-signed includes ANY
    possible cert in a chain of trust. I think Your definition of "self-signed"
    means a simple test certificate which is signed by its own private key. Again,
    PRIVATE RA/CA certificates do not work. Typical error codes from the
    SSL libs might be 18 (classic self-signed test certificate) or 19 or 20
    or 21 (private CA/RA). Use "openssl s_client" testing with various cert
    configurations for examples. (How do I know? I wrote my own CA. Been
    operational for a couple of years. Don't have a problem with anything
    else. Only DavDroid. (Hence, the code sample -- generally, this is how
    ActiveSync and browser libraries handle it.)

    ==========================================

    You mean: to allow self-signed certs in DAVdroid. To allow them on
    Android, you have to import them like described on the DAVdroid home
    page. Again, where is the issue? <<<

    Importing my certs doesn't work... for the reason described -- both in
    the text and in the code -- AND, as described in the previous paragraph.
    I've spent several FRUSTRATING hours trying everything under the sun to
    make it work.

    ==========================================

    SSL without certficate checks (this is something other than allowing
    self-signed certs) is not only absolutely useless but actually dangerous
    because one might think data are transmitted securely. Would you like to
    have a "Disable brakes" switch in your car? I wouldn't. If you don't
    care about security, use HTTP – it's exactly as secure as HTTPS without
    certificate checks. <<<

    Who cares? I'm an intelligent user. I want crypto... I assume my own
    risk. Do you think you or your program knows better than I if I should
    receive an error or not? Does it read my mind or employ some miraculous
    Artificial Intelligence code? No.

    ===========================================
    »In order to use Android Backup Service, you must register your app with
    the service to receive a key that you must include in your Android
    manifest.«

    DAVdroid is not registered with the Backup API; it's data won't be
    stored. Calendar and contact data may be, but that's not our
    responsibility and I can only advise to not use that service. <<<

    Geez... Do we now need to discuss the cellco company practices? I only
    noted them because they are an established FACT. What's that got to do
    with crypto? I'm only MINIMIZING THE CRAP regarding this issue: OH
    NO! WE GOTTA WORRY ABOUT THE AUTHENTICITY OF THE REMOTE SERVER!"

    This subject will go on forever and consume more airtime than even Ed
    Snowden is getting.

    ========================================

    Question #1: Why do I use CyanogenMod without GApps, thus without
    Google Play? 🙂 <<<

    How many of your users have the technical ability to root their
    phone???? .000001%?????????? Ad nauseum.

    HINT #3: Real world: Verizon and ATT can restore your phone and data
    when you sign a new contract with a new phone? ADVICE: TAKE THE HINT.)

    Can you restore a DAVdroid account? <<<

    If the answer is yes, you would have to erase this spying firmware as
    soon as you get the phone and replace it by a free Android flavour
    (CyanogenMod, Replicant). I also strongly recommend to have a look in
    the source code; for instance, you might audit the Backup API and then
    tell us if it really does what it should (and not more than that). <<<

    YES! The mentioned carriers can restore calendar, contacts, email,
    files, misc phone settings, etc. Online backups are now defaults...
    most people are clueless.

    They are using their "branded" implementation(s) of the Backup API to do
    it... back by popular demand of the spy grid.

    I kid you not. Would you like to know why I dumped my cell phones
    almost 3 years ago???? Have you checked your phones for military IPs
    thru VPN tunnels??? (I have. The phone was shut down the very next
    day. The local salesman at the local sales office had EXACTLY the same
    problem -- I found that out because I checked.)

    People don't even realize that the 4G backbone is generally owned and
    operated by the DOD. In reality, the carriers only own the local access
    towers. The carriers can even use the DOD (DISA) to do billing....
    Another tidbit people don't know. I have the military documents (under
    FOIA... and, now, these docs are available publicly).

    LIKE I SAID,... This subject will go on forever and consume more airtime
    than even Ed Snowden is getting.

    ==================================================================

    *** WE NEED CRYPTO TO OUR PRIVATE SERVERS WITH PRIVATE CA'S *******
    Creating the subclassed HttpClient stuff will allow that to happen as
    described, previously.

    ==================================================================



  • It seems like emotions are flying high. I recommend a practical approach.

    Various ways of managing certificates from within DAVdroid might be feasible in theory, but in practice it's the kind of thing that takes a bunch of time. If I were developing for this project, which I'm not, I might prefer to focus on other areas of the code base.

    Certainly many of us have self-signed certificates that we make and import into Android and using those we can use DAVdroid with encryption as desired. This is a simple process, which isn't to say it's easy, but if you are trying to do the same and failing, please see the documentation and let us know where things are going haywire.



  • Certainly many of us have self-signed certificates that we make and import into Android and using those we can use DAVdroid with encryption as desired. <<<

    Emotions aren't flying high... but the nonsense about "MITM HIJACKS" is really taking a lot of time. THE CODE ABOVE, MODIFIED FOR PURPOSES OF DAVDROID, along with a global search/replace text of the DefaultHttpClient (or whatever) library calls will yield correct results.

    To understand the REAL nature of the problem... read the DOJ Appellate Brief against Lavabit for contempt in the Snowden fiasco. The DOJ Brief is a confession of everything that Snowden said: AND BEYOND ANY DOUBT, shows you that the entire "PUBLIC" (not private) cloud computing crypto is compromised under "general warrants."

    =====================

    http://stackoverflow.com/questions/1217141/self-signed-ssl-acceptance-android
    AGAIN: REITERATE: ALL MAJOR PUBLIC WEBSERVERS ARE ALREADY COMPROMISED -- US vs LAVABIT, Decided April 16, 2014. It is a confession that points out that all major internet providers private keys have been turned over to whomever. Private certificates are the only secure ones, today. End of story.



  • @ddblack, do you really think screaming at the dev is going to get things done? Please try to remain civil. And remember, you can always fork it 😉



  • Not screaming. How else do you EMPHASIZE THE IMPORTANCE of something when everyone wants to pollute the issue with uninformed (or ignorant -- definition -- "ignore" indisputable facts) rhetoric. I've been around the block as a developer for over 30 years.

    I don't want to fork it. I want to be able to steer anyone who asks for a reliable, easy-to-use caldav/carddav client to DavDroid. Today, I say: Buy an Apple.

    AS YOU CAN SEE... This topic has been bounced around since last year! Apple can optionally ignore cert errors, web browsers can ignore cert errors, ActiveSync can ignore errors... But, DavDroid can't. ALL competent business servers who have a Microsoft Server have their own PRIVATE CA. I don't know any public CA that allows you to issue your own certs. Why???? ANSWER: Someone wants a copy of the keys. They don't want you to create your own keys. (In addition, this compromised oligarchy of CAs is the reason for development of BOTH DNSSEC and DANE TLS.)



  • @ddblack please, focus. You are mixing up many different problems.
    As you probably know, your proposed code disables hostname verification. This is definitly the wrong approach. It is extremly easy to play MitM with your code in place. What we need is certificate pinning per davdroid account!



  • @ddblack I think the use of all-caps and name calling ("uninformed", "ignorant"), is best avoided. On any issue, even if you feel you're definitely right and others are wrong, being dismissive is counterproductive. We're trying to work together on these issues, after all.



    1. Everyone here is irrationally focused on the authenticity of the remote server.
    2. Android cert handling SUCKS.
    3. So... You don't have any choice. Reread the code. Add to it... Don't forget Subject Alt Name. Check the hyperlink I gave here for more fuel to "get the job done."
    4. All public internet services are already compromised (e.g. The Lavabit case already proves that the remote servers... e.g. Google, et al,... are already compromised. The Public CAs controls your keys. Most people here don't even know how the keys work -- it's magic.)
    5. CONCLUSION: Private CAs are the ONLY certificates that can be trusted.

    I'm tired of all the dribble about MITMs. That requires a HIJACK -- "perps" need to hack your DNS, set up a fake server, set up fake certs, etc. PRIVATE SYSTEMS AREN'T WORTH THAT EFFORT. Google just gives "anyone" a copy of the keys. You don't even have to worry about fake certs -- because the certs are copies that Google gave them. People are clueless. Including coders

    There is nothing more dangerous than transmitting your password in the clear.

    "Discussing the obvious" for 8 months is not "working together on the issues."

    There is only one issue: Encryption that is easy to use without a graduate degree in operating systems and crypto.