doc: add a word on client certificates over untrusted connections

vincentbernat · Nov 13, 2016 · d714e60 · d714e60
1 parent 932237c
commit d714e60
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/docs/android.rst b/docs/android.rst
@@ -127,7 +127,12 @@ certificates. Trusted certificates are built into the app and cannot
 be modified.
 
 The only possibility is to accept untrusted certificates in the
-preferences.
+preferences. This makes TLS useless and you could just use HTTP,
+except if you are interested in client certificates. In this case,
+blindly trusting the server certificate doesn't allow an attacker to
+use your client certificate for its own requests (client has to
+demonstrate its ability to sign a the whole handshake with its
+certificate, including the "server certificate" message).
 
 Client certificates
 ~~~~~~~~~~~~~~~~~~~