Self-singed Certificate

Hi,

We are using self-signed certificate to connect to our ODK instance, and
due to using self signed, we need to install the certificate on each tablet
referring to:

"This is the preferred route. What you do is - put the certificate within
your apk, change your HTTPS connection to only allow this certificate and
discard the rest"

I'm not sure if you guys can help with this to understand how we can put
the certificate inside the ODK apk.

Any help?

Thanks,

Don't use a self-signed certificate. That way lies madness.

Get a proper cert. You can find inexpensive ones at
https://www.namecheap.com/security/ssl-certificates.

Yaw

··· -- Need ODK services? http://nafundi.com provides form design, server setup, professional support, and software development for ODK.

On Mon, Sep 14, 2015 at 3:57 AM, Hanan Aqilan hjameelq@gmail.com wrote:

Hi,

We are using self-signed certificate to connect to our ODK instance, and due
to using self signed, we need to install the certificate on each tablet
referring to:

http://thetechnohaven.blogspot.in/2014/02/notes-on-ssl-mitm-and-using-self-signed.html

"This is the preferred route. What you do is - put the certificate within
your apk, change your HTTPS connection to only allow this certificate and
discard the rest"

I'm not sure if you guys can help with this to understand how we can put the
certificate inside the ODK apk.

Any help?

Thanks,

--

Post: opendatakit@googlegroups.com
Unsubscribe: opendatakit+unsubscribe@googlegroups.com
Options: http://groups.google.com/group/opendatakit?hl=en


You received this message because you are subscribed to the Google Groups
"ODK Community" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Thanks Yaw, Mitch.

The point is we need to keep our server secure, therefore registering the
certificate will make us an issue, we can be tracked. Our DB is very
sensitive, that is why we are thinking of a way to resolve this issue apart
from getting a registered certificate. Currently, we are using the google
server instance, we pay each month to increase the daily quota, so now we
have our own instances, but we cannot use them due to the certificate issue.

Regards, -Hanan

··· On Monday, September 14, 2015 at 10:57:06 AM UTC+3, Hanan Aqilan wrote: > > Hi, > > We are using self-signed certificate to connect to our ODK instance, and > due to using self signed, we need to install the certificate on each tablet > referring to: > > > http://thetechnohaven.blogspot.in/2014/02/notes-on-ssl-mitm-and-using-self-signed.html > > "This is the preferred route. What you do is - put the certificate within > your apk, change your HTTPS connection to only allow this certificate and > discard the rest" > > I'm not sure if you guys can help with this to understand how we can put > the certificate inside the ODK apk. > > Any help? > > Thanks, >

And search the web. There are some SSL cert issuers that will give you
discounts or free certs.

··· On Mon, Sep 14, 2015 at 6:26 AM, Yaw Anokwa wrote:

Don't use a self-signed certificate. That way lies madness.

Get a proper cert. You can find inexpensive ones at
https://www.namecheap.com/security/ssl-certificates.

Yaw

Need ODK services? http://nafundi.com provides form design, server
setup, professional support, and software development for ODK.

On Mon, Sep 14, 2015 at 3:57 AM, Hanan Aqilan hjameelq@gmail.com wrote:

Hi,

We are using self-signed certificate to connect to our ODK instance, and
due
to using self signed, we need to install the certificate on each tablet
referring to:

http://thetechnohaven.blogspot.in/2014/02/notes-on-ssl-mitm-and-using-self-signed.html

"This is the preferred route. What you do is - put the certificate within
your apk, change your HTTPS connection to only allow this certificate and
discard the rest"

I'm not sure if you guys can help with this to understand how we can put
the
certificate inside the ODK apk.

Any help?

Thanks,

--

Post: opendatakit@googlegroups.com
Unsubscribe: opendatakit+unsubscribe@googlegroups.com
Options: http://groups.google.com/group/opendatakit?hl=en


You received this message because you are subscribed to the Google Groups
"ODK Community" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Post: opendatakit@googlegroups.com
Unsubscribe: opendatakit+unsubscribe@googlegroups.com
Options: http://groups.google.com/group/opendatakit?hl=en


You received this message because you are subscribed to the Google Groups
"ODK Community" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Mitch Sundt
Software Engineer
University of Washington
mitchellsundt@gmail.com

Hanan,

You are optimizing for the wrong thing.

It's true that a self-signed cert can protect against a CA who perhaps
is being forced by a government to emit a fake cert, but an attacker
that powerful has much easier ways of compromising your system. See
the thousands of vulnerabilities in Java.

And even if you could protect against those attack vectors, it's not
clear that you can ever securely control your own PKI. See


for more information.

All this is to say, there is a reason why the vast majority of secure
sites on the web (from Google to the NSA to Goldman Sachs) don't use
self-signed certs. It's probably not more secure and it's definitely
more annoying.

If you feel that self-signed is the way to go, then you'll have to
modify the Collect source and bundle your cert there. Either way, that
cert only protects data in transmission. The real attack surface you
should worry about is the data at rest and for this, you should use
encrypted forms (https://opendatakit.org/help/encrypted-forms).

Yaw

··· -- Need ODK services? http://nafundi.com provides form design, server setup, professional support, and software development for ODK.

On Mon, Sep 28, 2015 at 4:07 PM, Hanan Aqilan hjameelq@gmail.com wrote:

Thanks Yaw, Mitch.

The point is we need to keep our server secure, therefore registering the
certificate will make us an issue, we can be tracked. Our DB is very
sensitive, that is why we are thinking of a way to resolve this issue apart
from getting a registered certificate. Currently, we are using the google
server instance, we pay each month to increase the daily quota, so now we
have our own instances, but we cannot use them due to the certificate issue.

Regards, -Hanan

On Monday, September 14, 2015 at 10:57:06 AM UTC+3, Hanan Aqilan wrote:

Hi,

We are using self-signed certificate to connect to our ODK instance, and
due to using self signed, we need to install the certificate on each tablet
referring to:

http://thetechnohaven.blogspot.in/2014/02/notes-on-ssl-mitm-and-using-self-signed.html

"This is the preferred route. What you do is - put the certificate within
your apk, change your HTTPS connection to only allow this certificate and
discard the rest"

I'm not sure if you guys can help with this to understand how we can put
the certificate inside the ODK apk.

Any help?

Thanks,

--

Post: opendatakit@googlegroups.com
Unsubscribe: opendatakit+unsubscribe@googlegroups.com
Options: http://groups.google.com/group/opendatakit?hl=en


You received this message because you are subscribed to the Google Groups
"ODK Community" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.