Comment by lxgr

Comment by lxgr 2 days ago

While you're at it, make sure to have them prohibit any encryption on top of HTTPS, or apps might just be hiding things in application-level encryption schemes!

Banning certificate pinning... Do we really need mandated insecurity by prohibiting apps from doing better than trusting all Apple-trusted CAs around the world?

saagarjha a day ago

They already do that to some extent, actually. Not as you mention, but because of US export compliance laws.

Reply View 2 replies

lxgr a day ago

Countless encrypted messenger apps, GPG implementations etc. beg to differ.

Reply View | 1 reply
- saagarjha a day ago
  
  Beg
  
  Reply View | 0 replies

londons_explore 2 days ago

A better rule might be "You must use our HTTPSClient class, and it either uses the system+user trust stores, or optionally it uses an application supplied certificate authority+the user trust store".

Reply View 0 replies