Results 1 to 2 of 2

Thread: Validate SSL certificate

  1. #1
    Sencha User joostvanhassel's Avatar
    Join Date
    Jan 2012
    Location
    Rotterdam, The Netherlands
    Posts
    102

    Default Validate SSL certificate

    A lot of Sencha Touch apps being developed will require data from a server, something which is easy to set up in Sencha Touch / Designer. Most of my apps will run over a SSL connection, for obvious security reasons.

    While developing, I ran a server with a self-signed (thus not validated) certificate, which is accepted without a problem. This made me think; is there a way to check if a SSL certificate has a certain predefined thumbprint or can be validated by a certificate authority, so the app is sure the certificate presented is not a generated SSL certificate that's being used in a man-in-the-middle attack?

    I can imagine this is something that cannot be handled in plain JS and therefor will have to be handled on a higher level (within the wrapper around the webview). Is there a way to do this at this time / is this something that is on the roadmap?
    Of course it's possible to handle this in native code in PhoneGap already, but as this issue is relevant to a lot of apps and because I would prefer to deploy my apps without the PhoneGap layer, I thought it might be useful to look into.

  2. #2
    Sencha User joostvanhassel's Avatar
    Join Date
    Jan 2012
    Location
    Rotterdam, The Netherlands
    Posts
    102

    Default

    My assumption above is incorrect;
    - yes, a browser will load data over a https connection if the SSL certificate is not validated by a CA
    - no, the WebView that shows you code on iOS does not allow SSL certificated if not validated by a CA

    My previous findings were based on browser testing; I should have tested this on devices before raising the issue: woops!

    At the moment I can't test how Android will handle this, I'll leave another reply as soon as I have tested this. At this point I'm happy iOS handles certificates the way it does; it makes man-in-the-middle attacks less likely.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •