Everyone here is irrationally focused on the authenticity of the remote server.
Android cert handling SUCKS.
So… You don’t have any choice. Reread the code. Add to it… Don’t forget Subject Alt Name. Check the hyperlink I gave here for more fuel to “get the job done.”
All public internet services are already compromised (e.g. The Lavabit case already proves that the remote servers… e.g. Google, et al,… are already compromised. The Public CAs controls your keys. Most people here don’t even know how the keys work – it’s magic.)
CONCLUSION: Private CAs are the ONLY certificates that can be trusted.
I’m tired of all the dribble about MITMs. That requires a HIJACK – “perps” need to hack your DNS, set up a fake server, set up fake certs, etc. PRIVATE SYSTEMS AREN’T WORTH THAT EFFORT. Google just gives “anyone” a copy of the keys. You don’t even have to worry about fake certs – because the certs are copies that Google gave them. People are clueless. Including coders
There is nothing more dangerous than transmitting your password in the clear.
“Discussing the obvious” for 8 months is not “working together on the issues.”
There is only one issue: Encryption that is easy to use without a graduate degree in operating systems and crypto.
Please see this poll: https://twitter.com/davdroidapp/status/1006892001126690816
71 % have voted for keeping current behavior (no automatic selection)
However, to improve user experience, we have introduced a small message to indicate that collections must be selected to be synchronized:
This message is only shown if there are no collections selected when the activity is started.