New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSL Certificate Problem #5100

Closed
zero77 opened this Issue Jan 20, 2016 · 8 comments

Comments

Projects
None yet
5 participants
@zero77

zero77 commented Jan 20, 2016

According to the Sift android app there is an error with Signals SSL certificate, I have posted a screen shot below.

https://s10.postimg.org/moih1hdux/Quick_Memo.png

@agrajaghh

This comment has been minimized.

Show comment
Hide comment
@agrajaghh

agrajaghh Jan 20, 2016

Contributor

Signal uses a pinned self signed certificate, so CertPathValidatorException isn't a problem, but I'll leave this to @moxie0 to comment/close it...

although SHA1 looks weird...

Contributor

agrajaghh commented Jan 20, 2016

Signal uses a pinned self signed certificate, so CertPathValidatorException isn't a problem, but I'll leave this to @moxie0 to comment/close it...

although SHA1 looks weird...

@zero77

This comment has been minimized.

Show comment
Hide comment
@zero77

zero77 Jan 20, 2016

o ok I see you use self-signed certificates. I think you can get trusted recognised certificates for free from hear but I haven’t looked into it.
https://letsencrypt.org

zero77 commented Jan 20, 2016

o ok I see you use self-signed certificates. I think you can get trusted recognised certificates for free from hear but I haven’t looked into it.
https://letsencrypt.org

@mimi89999

This comment has been minimized.

Show comment
Hide comment
@mimi89999

mimi89999 Jan 20, 2016

Contributor

https://startssl.com also offers free SSL certificates.

Contributor

mimi89999 commented Jan 20, 2016

https://startssl.com also offers free SSL certificates.

@kmindi kmindi referenced this issue Jan 20, 2016

Closed

Introduce Threat model #782

0 of 4 tasks complete
@moxie0

This comment has been minimized.

Show comment
Hide comment
@moxie0

moxie0 Jan 20, 2016

Member

There is no reason to ever use a CA signed certificate in an app. To do so would only enable additional points of compromise for zero additional value. If you ever see anyone using a CA signed certificate in an app, they're doing it wrong. See http://thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/ for more information.

Member

moxie0 commented Jan 20, 2016

There is no reason to ever use a CA signed certificate in an app. To do so would only enable additional points of compromise for zero additional value. If you ever see anyone using a CA signed certificate in an app, they're doing it wrong. See http://thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/ for more information.

@moxie0 moxie0 closed this Jan 20, 2016

@kpcyrd

This comment has been minimized.

Show comment
Hide comment
@kpcyrd

kpcyrd Jan 21, 2016

@moxie0 is there a difference between pinning a signed certificate and a self-signed one?

kpcyrd commented Jan 21, 2016

@moxie0 is there a difference between pinning a signed certificate and a self-signed one?

@zero77

This comment has been minimized.

Show comment
Hide comment
@zero77

zero77 Jan 21, 2016

I think you would be more open to MITM attacks if you didn’t pin it.

zero77 commented Jan 21, 2016

I think you would be more open to MITM attacks if you didn’t pin it.

@mimi89999

This comment has been minimized.

Show comment
Hide comment
@mimi89999

mimi89999 Jan 21, 2016

Contributor

@moxie0 SHA1withRSA is very WEAK. The server also supports SSL 3 which is insecure. 😞

Contributor

mimi89999 commented Jan 21, 2016

@moxie0 SHA1withRSA is very WEAK. The server also supports SSL 3 which is insecure. 😞

@moxie0

This comment has been minimized.

Show comment
Hide comment
@moxie0

moxie0 Jan 24, 2016

Member

@kpcyrd Yes, pinning a CA signed certificate is less secure. The certificate you pin is the signing certificate, so while you've eliminated the ability for every other CA to forge certificates, the CA you've pinned still can. Again, there is never any reason to use CA certificates from a mobile app. It only weakens the app, and provides no value.

@mimi89999 For CA signed certificates, there is a concern that eventually SHA1 will lose collision resistance (hasn't happened yet, no collision has ever been found). For a self-managed trust root, that is not a problem, since we don't issue certificates to anyone else from our root.

The cipher suites we support enable us to receive connections from old gingerbread devices.

Member

moxie0 commented Jan 24, 2016

@kpcyrd Yes, pinning a CA signed certificate is less secure. The certificate you pin is the signing certificate, so while you've eliminated the ability for every other CA to forge certificates, the CA you've pinned still can. Again, there is never any reason to use CA certificates from a mobile app. It only weakens the app, and provides no value.

@mimi89999 For CA signed certificates, there is a concern that eventually SHA1 will lose collision resistance (hasn't happened yet, no collision has ever been found). For a self-managed trust root, that is not a problem, since we don't issue certificates to anyone else from our root.

The cipher suites we support enable us to receive connections from old gingerbread devices.

@signalapp signalapp locked and limited conversation to collaborators Jan 24, 2016

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.