[TIMOB-14354] Get SSL certificate owner when using ACS with Ti.Network.HTTPClient
| GitHub Issue | n/a |
|---|---|
| Type | Bug |
| Priority | Low |
| Status | Open |
| Resolution | Unresolved |
| Affected Version/s | n/a |
| Fix Version/s | n/a |
| Components | TiAPI |
| Labels | SupportTeam, engReviewed |
| Reporter | Davide Cassenti |
| Assignee | Abir Mukherjee |
| Created | 2013-06-24T11:45:42.000+0000 |
| Updated | 2019-12-13T17:08:40.000+0000 |
Description
For security reason, there is a need to be sure the server is really appcelerator.com when accessing ACS. Currently, Ti.Network.HTTPClient is used to communicate to the server, and the server validation is in place as explained in this document: http://developer.appcelerator.com/blog/2012/11/the-titanium-sdk-and-certificate-validation.html
However, the requirement is to examine the certificate owner as well. There is a possible risk, where an intermediate proxy/router might provide a different SSL certificate, which will lead to unprotected data.
Need to ensure the endpoint serving the data was in fact the correct domain, corresponding to the name given in the SSL certificate.
check this out http://stackoverflow.com/questions/188266/how-are-ssl-certificates-verified If this needs to be done, the client side probably should do something similar to how web browser does it.
I believe this relates to the concept of certificate/public key pinning for which there is a module available. However, leaving this ticket open as we would need to extend this to ACS.