Android icon indicating copy to clipboard operation
Android copied to clipboard
verified publisher icon duckduckgo

Trust user-added CAs

Open dougmccluer opened this issue 1 month ago • 0 comments

Task/Issue URL: #5497

Description

updates network_security_config.xml in the F-Droid and Play Store builds to trust user-added CAs. (Internal builds already do this.)

This allows a user to use self-signed certs for https sites in a homelab or company intranet for example, provided the user has manually installed the root cert on their device as a trusted CA via Android system settings.

Previously, if a user attempted to connect to an https site whose certificate was not issued by one of the standard CAs that ships with Android, then they would be presented with a "This site may be insecure" warning screen, even if the user had explicitly added the cert's root CA as a trusted one in the Android system settings.

Steps to test this PR

Feature 1

  • [ ] Create a CA and self-signed cert (tutorial )
  • [ ] set up a local https site using the self-signed cert (nginx config guide)
  • [ ] using a non-debug build of duckduckgo, load the site and verify that green shield appears in url bar and no warning screen appears

UI changes

Before After
before after

dougmccluer avatar Dec 02 '25 23:12 dougmccluer