Maybe I\'m asking absolutely dumb question, but I couldn\'t find the answer yet.
ID: 656003 • Letter: M
Question
Maybe I'm asking absolutely dumb question, but I couldn't find the answer yet. I know when I'm sending or getting a data in a browser over https, both server and client (browser) checks each other certificates. If everything is ok the data transfer starts.
Now I wonder how to handle all this stuff in my code? I'm using some framework which allows me to download data. When I'm specifying an address as https://... I downloading stuff. But I didn't specify any certificates (I don't have any!). So how does it works in my case? Is it really https?
Here's an example that confused me: I have some file in dropbox. I can download it with my code if I specify https address. But also I can download the same file if I specify just http!
Explanation / Answer
You need to bundle together trusted CA root certificates in your application, especially if you're contacting 3rd party https websites. Major browsers verify websites using bundled certs with the application, or the OS. The browser then checks the received cert is signed by one of the stored root CAs.
You'd then need to do the same thing browsers do, and verify the received certificate is signed by a major CA.
Certificate pinning can work for your OWN server with a self signed certificate and you don't wish to purchase a commercially signed certificate. But it's a very poor solution for a 3rd party where the certificate can change without notice. Certificates expire, can be revoked, or suddenly replaced for whatever reason, and then suddenly your application won't work until you update everyones application. That's a poor solution.