back to article Android Nougat may contain traces of NOT for users of custom CAs

Google will sweeten the forthcoming Nougat release of Android by changing the way apps work with certificate authorities (CAs) and simplifying APIs. The changes will affect only some apps and users, Android security team software engineer Chad Brubaker says . The changes mean Google will not automatically trust user-selected …

  1. petur

    TL;DR

    Does that mean that user-installed CA's are out of the window?

    Currently I have my own CA to sign certificates for various home systems and I'd hate giving up that simplicity...

    1. Anonymous Coward
      Anonymous Coward

      Re: TL;DR

      From what I've read, I think the policy will become "not by default". However, they're providing ways to allow custom certificates, just with more limited control, as in they won't be trusted by default and, I think, can be limited so they can't be exploited so easily.

  2. Christian Berger

    That seems like a security problem

    I mean if I have some program which only needs to talk to my server, I can just deliver the correct certificate with it. There is no advantage in relying on some external certificate authority which I do not control.

    In fact, since I have no idea what the Google approved CA does and I have to hand over the keys to my kingdom, it's kinda a problem. I trust in yet another external organisation.

    Plus the obvious problem is that this might hinder reverse engineering as I cannot bypass TLS by using my own certificates.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022