Android icon indicating copy to clipboard operation
Android copied to clipboard
verified publisher icon duckduckgo

[Bug] Adding a trusted local CA to Android is not honored by DDG

Open kensmith opened this issue 11 months ago • 5 comments

Describe the bug

DDG warns that a site may be insecure even after installing a CA certificate to Android's system level trust store.

How to Reproduce

  • Create a certificate with mkcert
  • Install as a trusted CA in Android Settings
  • Create a cert with common name = foo
  • Make sure DNS or /etc/hosts (eg. Using Virtual Hosts from Fdroid) resolves foo to the host
  • Create an HTTPS server with a mkcert certificate issued from that CA with CN = foo
  • Navigate to that server https://foo

Expected behavior

Chrome, Brave, and Firefox on the same phone all stop warning after the mkcert CA is installed in the system level trust store. I expect DDG to follow suit. This seems like a bug because the warning message claims that the certificate is not trusted by the OS when it is trusted based on being able to navigate to it in other browsers.

Image

Environment

- DDG App Version: 5.222.0 (52220000)
- Device: Pixel 8
- OS: Android 14, Build AP2A.240905.003.B1

kensmith avatar Jan 20 '25 21:01 kensmith

Thank you for opening an Issue in our Repository. The issue has been forwarded to the team and we'll follow up as soon as we have time to investigate. As stated in our Contribution Guidelines, requests for feedback should be addressed via the Feedback section in the Android app.

github-actions[bot] avatar Jan 20 '25 21:01 github-actions[bot]

Hello! I’ve forwarded this issue internally and will let the correct team prioritise the fix. Thank you!

karlenDimla avatar Feb 07 '25 17:02 karlenDimla

I can confirm this doesn't work, I actually assumed it wasn't implemented, hence my request to import .pems into ddg browser. https://github.com/duckduckgo/Android/issues/5589

If this is intended to work, and retrieve the cert from the ca store that's even better.

GitFo0 avatar Mar 05 '25 08:03 GitFo0

Same here, Chromium is my default browser for this exact reason! It's annoying to be always reminded that the site I'm visiting might be insecure - when I'm the one hosting it on my own server with the certificate I created myself that I then manually installed on my phone.

Screenshot of installed certificate Image

Screenshot of warning message in DDG - every single time I visit the site Image

Screenshot of same address in Chromium when I visit the site Image

Ke1i avatar Apr 13 '25 20:04 Ke1i

Just wanted to bump this, cause I'm having the same issue after setting up my own CA. The other browsers on the phone got the memo though

KHILL3000 avatar Sep 26 '25 13:09 KHILL3000