From: Soren Stoutner Date: Wed, 13 Sep 2017 23:42:29 +0000 (-0700) Subject: Update SSL Certificate Guide. X-Git-Tag: v2.6~4 X-Git-Url: https://gitweb.stoutner.com/?a=commitdiff_plain;h=f5434ed563e4cb01c950d83aa4e179e2811a8612;p=PrivacyBrowserAndroid.git Update SSL Certificate Guide. --- diff --git a/app/build.gradle b/app/build.gradle index 8764284e..399adf0b 100644 --- a/app/build.gradle +++ b/app/build.gradle @@ -55,10 +55,10 @@ android { dependencies { compile fileTree(include: ['*.jar'], dir: 'libs') - compile 'com.android.support:design:25.3.1' + compile 'com.android.support:design:25.4.0' // Only compile `com.google.firebase:firebase-ads:9.8.0` for the free flavor. - freeCompile 'com.google.firebase:firebase-ads:9.8.0' + freeCompile 'com.google.firebase:firebase-ads:11.2.2' } // Google's documentation says the following line is required for `firebase-ads` but things work correctly without it. I have no interest in applying the Google Mobile Services plugin in the standard flavor if I don't have to. diff --git a/app/src/main/assets/de/guide_ssl_certificate_pinning.html b/app/src/main/assets/de/guide_ssl_certificate_pinning.html deleted file mode 100644 index 8fb49250..00000000 --- a/app/src/main/assets/de/guide_ssl_certificate_pinning.html +++ /dev/null @@ -1,65 +0,0 @@ - - - - - - - - - -

Connect with Confidence

- -

When visiting an encrypted URL (one that begins with HTTPS), the webserver uses an SSL certificate to both encrypt the information sent to the browser and to identify the server. - The purpose of the server identification is to prevent a machine located between the browser and the webserver from pretending to be the server and decrypting the information in transit. - This type of attack is known as a Man In The Middle (MITM) attack. SSL certificates are generated by certificate authorities: companies that verify a server’s identity and produce a certificate for a fee. - Android has a list of trusted certificate authorities, and will accept any of their certificates for any website. - It isn’t supposed to be possible for an organization to acquire an SSL certificate for a domain they do not control, but in practice many governments and large corporations have been able to do so.

- -

The purpose of SSL certificate pinning is to tell the browser that only one specific SSL certificate is to be trusted for a particular domain. Any other certificate, even if it is valid, will be rejected.

- -

- -

SSL certificates expire on a specified date, so even pinned SSL certificates will legitimately need to be updated from time to time. - As a general rule, pinning SSL certificates probably isn’t needed in the majority of cases. - But for those who suspect that powerful organizations may be targeting them, SSL certificate pinning can detect and thwart a MITM attack.

- -

- -

SSL certificates can be pinned in Domain Settings. - Besides protecting against MITM attacks, pinning a self-signed certificate for a device like a wireless router or access point will remove the error message that is normally presented every time its website is loaded.

- - \ No newline at end of file diff --git a/app/src/main/assets/de/guide_ssl_certificates.html b/app/src/main/assets/de/guide_ssl_certificates.html new file mode 100644 index 00000000..1a228fe3 --- /dev/null +++ b/app/src/main/assets/de/guide_ssl_certificates.html @@ -0,0 +1,66 @@ + + + + + + + + + +

Connect with Confidence

+ +

When visiting an encrypted URL (one that begins with HTTPS), the webserver uses an SSL certificate to both encrypt the information sent to the browser and to identify the server. + The purpose of the server identification is to prevent a machine located between the browser and the webserver from pretending to be the server and decrypting the information in transit. + This type of attack is known as a Man In The Middle (MITM) attack. SSL certificates are generated by certificate authorities: companies that verify a server’s identity and produce a certificate for a fee. + Android has a list of trusted certificate authorities, and will accept any of their certificates for any website. + It isn’t supposed to be possible for an organization to acquire an SSL certificate for a domain they do not control, but in practice many governments and large corporations have been able to do so.

+ +

Pinning an SSL certificate tells the browser that only one specific SSL certificate is to be trusted for a particular domain. Any other certificate, even if it is valid, will be rejected.

+ +

+ +

SSL certificates expire on a specified date, so even pinned SSL certificates will legitimately need to be updated from time to time. + As a general rule, pinning SSL certificates probably isn’t needed in the majority of cases. + But for those who suspect that powerful organizations may be targeting them, SSL certificate pinning can detect and thwart a MITM attack.

+ +

+ +

SSL certificates can be pinned in Domain Settings. + Besides protecting against MITM attacks, pinning a self-signed certificate for a device like a wireless router or access point will remove the error message that is normally presented every time its website is loaded. + To view the current website SSL certificate, tap on the favorite icon next to the URL bar.

+ + \ No newline at end of file diff --git a/app/src/main/assets/en/about_changelog.html b/app/src/main/assets/en/about_changelog.html index 21c37df0..ce198911 100644 --- a/app/src/main/assets/en/about_changelog.html +++ b/app/src/main/assets/en/about_changelog.html @@ -27,6 +27,16 @@ +

2.6 (version code 26)

+

14 September 2017 - minimum API 19, target API 25

+ +

2.5 (version code 25)

26 August 2017 - minimum API 19, target API 25