ceylon-sdk icon indicating copy to clipboard operation
ceylon-sdk copied to clipboard
verified publisher icon eclipse-archived

Support SSL sockets

Open FroMage opened this issue 11 years ago • 6 comments

We should add support for SSL sockets, in a way that does not leak to the users more than by specifying that SSL should be used.

FroMage avatar Feb 11 '14 11:02 FroMage

I have a Java prototype that abstracts SSL into the traditional select/async pattern we use, so I should be able to merge this in.

FroMage avatar Feb 11 '14 11:02 FroMage

What is our stance about self-signed certificates?

tombentley avatar Feb 11 '14 11:02 tombentley

Do we need to have a stance? I don't think we do.

FroMage avatar Feb 11 '14 11:02 FroMage

What I mean is: If I write a client which connected to some https site and that site has a self signed certificate, by default is the connection considered OK, or does the connection fail.

tombentley avatar Feb 11 '14 11:02 tombentley

Not sure, I'll read up on it before I set the default. It's my understanding that nowadays people actually advise you to use self-signed certificates, in the light that SSL certificate signing authorities are compromised by governments so self-signed is actually more secure (for the certificate owner). So not clear at all.

FroMage avatar Feb 11 '14 11:02 FroMage

Well, the choice is between the devil and the deep blue sea. If we were to always trust self-signed certs then there's no detection/prevention of MITM. OTOH, (assuming this is all built on Java's security stuff), then to use a self signed cert people would have to find out the cryptic commands used to add a cert to the JVMs trusted certs file. My personal experience is that this feels pretty cryptic and fiddly the first few times you do it, and it raises the bar for people adopting HTTPS.

tombentley avatar Feb 11 '14 11:02 tombentley