Certificate ignore



  • App implementation to bypass certificate validation


  • developer

    Thanks for your interest in DAVdroid. However, ignoring the certificate and bypassing validation is not a feature, but a severe security flaw. Why should this be implemented?



  • In Brazil, the certifying authority (ICP Brazil) is not recognized as valid
    outside the country. We intend to adopt the DavDroid as a tool used by many
    government employees without a fork and so this demand. This feature is
    implemented in native ActiveSync on Android and K9

    2015-06-25 19:08 GMT-03:00 rfc2822 notifications@github.com:

    Thanks for your interest in DAVdroid. However, ignoring the certificate
    and bypassing validation is not a feature, but a severe security flaw. Why
    should this be implemented?


    Reply to this email directly or view it on GitHub
    https://github.com/bitfireAT/davdroid/pull/564#issuecomment-115415687.


  • developer

    In Brazil, the certifying authority (ICP Brazil) is not recognized as valid outside the country. We intend to adopt the DavDroid as a tool used by many government employees without a fork and so this demand. This feature is implemented in native ActiveSync on Android and K9

    I see. Why don't you just import the CA certificate on all those devices? Then users could use any app (including the Android email app and DAVdroid) to connect to your servers.



  • This is one of the possibilities raised but many of our users do not have
    very easily to set up the cell phone and the installation process of the
    certificate chain is not a trivial operation, we have around 50.000 users.
    The no possibility of ignoring certificate can by provoke resistance to
    change Activesync by DavDroid

    2015-06-26 7:24 GMT-03:00 rfc2822 notifications@github.com:

    In Brazil, the certifying authority (ICP Brazil) is not recognized as
    valid outside the country. We intend to adopt the DavDroid as a tool used
    by many government employees without a fork and so this demand. This
    feature is implemented in native ActiveSync on Android and K9

    I see. Why don't you just import the CA certificate on all those devices?
    Then users could use any app (including the Android email app and DAVdroid)
    to connect to your servers.


    Reply to this email directly or view it on GitHub
    https://github.com/bitfireAT/davdroid/pull/564#issuecomment-115632620.


  • developer

    The no possibility of ignoring certificate can by provoke resistance …

    Ignoring the certificate is a severe security flaw that renders SSL/TLS nearly useless. You may use plain HTTP instead (for instance, with Digest authentication) as it provides almost the same level of security.



  • I think I expressed myself poorly, the certificate is not ignored in the
    implementation, only the verification of validity will be ignored. All
    trasações still being with encryption SSL or TLS

    2015-06-26 11:13 GMT-03:00 rfc2822 notifications@github.com:

    The no possibility of ignoring certificate can by provoke resistance …

    Ignoring the certificate is a severe security flaw that renders SSL/TLS
    nearly useless. You may use plain HTTP instead (for instance, with Digest
    authentication) as it provides almost the same level of security.


    Reply to this email directly or view it on GitHub
    https://github.com/bitfireAT/davdroid/pull/564#issuecomment-115702493.


  • developer

    I think I expressed myself poorly, the certificate is not ignored in the implementation, only the verification of validity will be ignored. All trasações still being with encryption SSL or TLS

    SSL or TLS is nearly useless without validation checks. This would be a severe security flaw, please don't use that! Just imagine that some of your people use a free WiFi to connect to your server. The WiFi admins can do a MITM attack with one click and all .gov.br data would belong to them.

    To see which severy security problems are caused by not validating certificates, please read http://www.search-lab.hu/about-us/news/109-security-vulnerability-in-lg-s-update-center-application (for instance).

    DAVdroid would rather need a good certificate pinning option, but ignoring the certificate is not a possible option.


Log in to reply
 

Looks like your connection to Bitfire App Forums was lost, please wait while we try to reconnect.