Do not automatically accept all SSL certificates [released]
asked 2014-01-04 22:35:28 +0300
The Mail app is set to automatically accept all SSL certificates by default, which is a security risk. I'm awfully sorry to complain about something because it works ( :-) ), but I was unpleasantly surprised when I successfully managed to set up my email account (which uses a self-signed SSL certificate) without the Jolla complaining about the certificate's validity.
In all seriousness, though, the device should not blindly trust certificates -- at least not without informing the user. Instead, it should give the user the option to (manually) inspect it and then accept (e.g., by adding an exception, either globally or just for the Mail app) or reject. Alternatively, you could have an option like 'SSL (accept all certificates)' like the default mail app in Android, and make sure that the option 'SSL' rejects all certificates that haven't been signed by a trusted authority.
though i cannot find it(search is lousy), i'm pretty sure this has been requested before...
AL13N ( 2014-01-05 00:07:42 +0300 )editI've seen it mentioned in a comment to a related question here, but couldn't find a thread discussing the issue specifically.
martti ( 2014-01-05 00:20:34 +0300 )editOne way to do would be to ask the user to accept self-signed certificate and warn when the certificate changes (kind of like SSH). This same model could apply to WWW browser, email and the certificates used in WiFI WPA Enterprise authentication. Also certificate manager (UI) is needed.
Karri Huhtanen ( 2014-01-06 17:58:50 +0300 )editWrote a possible way to handle self-signed certificates in any Jolla app here: https://together.jolla.com/question/11215/accepting-self-signed-certificates/ It is based on my previous comment in this thread.
Karri Huhtanen ( 2014-01-09 11:36:15 +0300 )edit