1
populah
37d

Since we need https in android 9,is it okay to use self signed certificates? Secure enough?

Comments
  • 1
    Have you tried to google your question? It's a good habit.
  • 1
    Have you thought about just enabling https correctly?
  • 1
    @gronostaj ya of course. I found only 2 links. Others are duplicate. The problem is I dont much about certificates and I can't understand so many jargons used.
  • 0
    @C0D4 yeah would need ssl for that hence the certificate
  • 3
    @populah certbot solves that in minutes, otherwise find a host that comes with one.

    https://certbot.eff.org/

    Or route through cloudflare with ssl enabled.
  • 3
    Why would anyone trust self-signed certificates except in a closed intranet? Why not just use Let's Encrypt on the server?
  • 0
    Sometimes understanding something requires research. If you don't understand some terms or jargon, then you'll have to dive deeper.
  • 0
    @gronostaj exactly I dont want to dive "deeper" thats why I am looking for some overview. I am from mobile development background and dont want to go into too much details of certificate generation.
  • 0
    @Fast-Nop i tried certbot.. It needs domain registered apparently.. Ips wont work?
  • 0
    @C0D4 i tried certbot already but I guess it needs registered domain.. Thanks for clouflare suggestion.
  • 2
    @populah Let's Encrypt works against domains, and while certificates are possible against (public) IPs, that's rarely used and has compatibility problems.

    Asking the other way around, why would you want a certificate on a public IP instead of a domain? If you ever change the server, an IP based certificate will give you migration headaches while a domain based one won't.
  • 0
    There's no single right answer. We don't understand your situation, so we can't give you a one-size-fits-all solution.
  • 1
    @populah no, are you self hosting this in your house or something?
  • 1
    @Fast-Nop so basically to deploy I need digital ocean droplet and a domain, and nginx.
  • 1
    @C0D4 I really wanted to host at home but I dont have static ip..unlimited bandwidth though is there
  • 3
    @populah Or just get some webspace. That's pretty cheap and more reliable. If you go for shared hosting that doesn't suck, Let's Encrypt should be already there automatically and for free. Or managed VPS.

    Given that you don't have a static IP, you would need something like DynDNS to abstract the IP away, and whenever your home server reconnects (probably at least every 24 hours), the app would need to retrieve the new IP. Plus that the disconnects on the app side would be more frequent.

    I guess this would be OK for a dev setup, but would somewhat suck for actual users.
  • 4
    @populah what fastnop said.
    I have my site: www.c0d4.xyz on a RPI at home, but it checks the current ip every 10 minutes and updates cloudflares dns records appropriately.

    This is in no means a mission critical site, I don't even pay for hosting for it๐Ÿ˜…

    But for an actual app, I wouldn't recommend this as @Fast-nop pointed out.

    Get yourself an actual host as the timeouts can be off putting for your users since dynamic IPs can change frequently, mine can change 20 times in a day, or once every few days.
  • 2
    @C0D4 why u didn't use firebase or github.com to host it..?
  • 2
    @populah long story short.

    It doubles as a google assistant tv remote, and costs me like $10 a year for the domain and what ever insignificant power usage comes from the USB cable.

    Figured I'd put something on it to make it seem worth while owning a domain name.

    "Awaits le spam to find the endpoints and my tv channels changing"
  • 1
    @Fast-Nop @Fast-Nop the main problem is I need to test my api in android and android 9 wont support http.. Only https. Switching back to old version is again in pain in arse so rather install ssl in my spring boot. But the issue is it needs a ca verified ssl so tried using certbot and that needs a domain. So am in a deadlock now. Can't I test it on local host?
  • 1
    @populah Within your LAN, you could slap a domain on your host, give it a self-signed certificate and add your own CA to the trusted ones in your Android device that would be in your LAN via Wifi.

    Or, for your own testing, you could just enable http on your Android device.
  • 1
    @Fast-Nop I disabled ssl check for time being on the device. Thanks a lot.
  • 3
    For testing purposes you can use ngrok. It will create https url that tunnels to your server. Free version creates a new random url everytime you start it. You have to pay to have a static/fixed url.
    I use it to quickly test something on mobile device with local dev server.
  • 1
    @gronostaj And then you can sometimes ask questions!
  • 0
    @linuxxx I'm cool with asking questions, but I don't like the "I don't want to learn, just give me answers" attitude.
  • 0
    @gronostaj I dont want to learn about a setup procedure which needs lot of reading because I am gonna use it one time. My mind is already occupied of too many things.
  • 0
    @linuxxx my bad.. I dint knee it had become another SO.
  • 0
    @populah If you have a server and a client, learning about TLS and HTTPS won't hurt. The only way you wouldn't benefit from this knowledge is if you would spend your life writing mathematical simulations which can't possibly interact with the network.
  • 0
    @populah Oh no I'm not blaming you.
    While I get @gronostaj's point, I agree with you in this case.

    Kinda comparing it to when I'd need something frontend setup, I wouldn't search for long because there's no chance on earth I'd do that again voluntarily.
Add Comment