+<!--
+ Copyright © 2017 Soren Stoutner <soren@stoutner.com>.
+
+ This file is part of Privacy Browser <https://www.stoutner.com/privacy-browser>.
+
+ Privacy Browser is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ Privacy Browser is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with Privacy Browser. If not, see <http://www.gnu.org/licenses/>. -->
+
+<html>
+ <head>
+ <meta charset="UTF-8">
+ <style>
+ h3 {
+ color: 0D4781;
+ }
+
+ img.title {
+ vertical-align: bottom;
+ height: 32;
+ width: 32;
+ }
+
+ img.center {
+ display: block;
+ margin-left: auto;
+ margin-right: auto;
+ height: 640;
+ width: 360;
+ }
+ </style>
+ </head>
+
+ <body>
+ <h3><img class="title" src="images/ic_vpn_lock_dark_blue.png"> Know Where You’re Going</h3>
+
+ <p>When visiting an encrypted URL (one that begins with HTTPS), the webserver uses an SSL certificate to both encrypt the information sent to the browser and to identify the server.
+ The purpose of the server identification is to prevent a machine located between the browser and the webserver from intercepting the traffic in transit, pretending to be the server, and decrypting the information as it is passed along.
+ This type of attack is known as a Man In The Middle (MITM) attack. SSL certificates are generated by certificate authorities: companies that verify a server’s identity and produce a certificate for a fee.
+ Android has a list of trusted certificate authorities, and will accept any of their certificates for any website.
+ It isn’t supposed to be possible for an organization to acquire an SSL certificate for a domain they do not control, but in practice many governments and large corporations have been able to do so.</p>
+
+ <p>The purpose of SSL certificate pinning is to tell the browser that only one specific SSL certificate is to be trusted for a particular domain. Any other valid certificate will be rejected.</p>
+
+ <p><img class="center" src="images/ssl_certificate_mismatch.png"></p>
+
+ <p>SSL certificates expire on a specified date, so even pinned SSL certificates will legitimately need to be updated from time to time.
+ As a general rule, pinning SSL certificates probably isn’t needed in the majority of cases.
+ But for those connecting to their own servers, or for those who suspect that powerful organizations may be targeting them directly, SSL certificate pinning can detect and thwart a MITM attack.</p>
+
+ <p><img class="center" src="images/pinned_ssl_certificate.png"></p>
+
+ <p>SSL certificates can be pinned in Domain Settings.
+ Besides protecting against MITM attacks, pinning a self-signed certificate for a device like a wireless router or access point will remove the error message that is normally presented every time its website is loaded.</p>
+ </body>
+</html>
\ No newline at end of file