

Rethinking SSL Development in an Appified World [pdf] - conductor
http://cryptome.org/2014/08/rethinking-ssl.pdf

======
zmanian
Certificate pinning is a best practice(Google does it for their apps) and
deserves to be supported in the SSL api provided by Android. This is my
favorite thing the proposal.

------
mike_hearn
This is a really excellent piece of research. Congrats to the authors and I
hope the Android team put effort into the suggested improvements. Given
Google's long term efforts around SSL it would be a good fit.

The off hand remark about SSLSocketConnection not checking hostnames even
though it has all the data it needs is a bit worrying. Does UrlConnection on
Android do the right thing with respect to SSL URLs? It should do, I hope!

------
tptacek
The irony of apps breaking SSL by trying to accommodate self-signed
certificates during developments are that mobile apps are the one mass-market
setting where self-signed certificates are superior to CA-signed certificates
_in production_.

------
newman8r
Hopefully apple will be more vigilant in the approval process with respect to
SSL implementations in the coming year.

------
0x0
I wonder if app SSL best practices is hindered by Apple's requirements to
self-declare crypto and get export permissions from the US department of
whatever. It's quite the surprise speedbump for new app developers, being
first presented with this form at the point of app store upload. I can easily
imagine developers doing a search&replace of "https" to "http" just to avoid
dealing with all that.

