Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
SSL Certificate Problem #5100
There is no reason to ever use a CA signed certificate in an app. To do so would only enable additional points of compromise for zero additional value. If you ever see anyone using a CA signed certificate in an app, they're doing it wrong. See http://thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/ for more information.
@kpcyrd Yes, pinning a CA signed certificate is less secure. The certificate you pin is the signing certificate, so while you've eliminated the ability for every other CA to forge certificates, the CA you've pinned still can. Again, there is never any reason to use CA certificates from a mobile app. It only weakens the app, and provides no value.
@mimi89999 For CA signed certificates, there is a concern that eventually SHA1 will lose collision resistance (hasn't happened yet, no collision has ever been found). For a self-managed trust root, that is not a problem, since we don't issue certificates to anyone else from our root.
The cipher suites we support enable us to receive connections from old gingerbread devices.