IOS and Android Trusted certificate authorities for https communication
I am developing a cordova application which is required to communicate with my node (Sails js) server using ssl (https).
The application will be of an E-Commerce nature (There https is required)
I can test using a self signed cert by manually installing the cert on my apple/android device. This obviously is not how I wish to publish my application so im assuming that I need to purchase a cert that both Android and Apple trust by default.
First question is : is my above assumption correct?
Im pretty sure the verisign certs should be trusted by both but these are very pricey! The cheapest verisign one I could find is $599/year (For one server).
Second question is : Does any have a list of other authorities that both Android and Apple trust by default? and if so which specific cert should I purchase from them?
My client code for creating the socket connection :
socket = io.connect(connectionUrl,
{
secure : true,
port : 443,
reconnection : true,
reconnectionDelay : 1000,
reconnectionDelayMax : 5000,
timeout : 20000
});
I can test using a self signed cert by manually installing the cert on my apple/android device. This obviously is not how I wish to publish my application so im assuming that I need to purchase a cert that both Android and Apple trust by default.
First question is : is my above assumption correct?
No.
You can run the app in production with the certificate too. Since you already know what the server's certificate is, embed it in your application. There's no reason to go to a commercial CA or use the CA zoo in this use case.
Note Well: in this particular use case, there's a trusted distribution channel (App Store and Google Play). So you can do things like leverage a priori knowledge of the server and embed certificates without worry of tampering. If the app was not distributed over a trusted channel, then you would need additional security controls. Or if you did not know the server in advance, then you could not use this method.
Im pretty sure the verisign certs should be trusted by both but these are very pricey! The cheapest verisign one I could find is $599/year (For one server).
No.
Use a certificate from StartCom. They offer free Class 1 certificates (domain validation, no wildcards). They are trusted by most mobile and desktop browsers. They charge you for revocation, if needed.
CACert also provides free certificates, but I've never used them. Also, I don't know how frequently their CA is installed in mobile and desktop browsers.
Finally, there's another free new-comer called Let's Encrypt. I know nothing about them. I don't even know how frequently (or infrequently) their CA certificates are trusted.
Also, those high dollar Extended Validation (EV) certificates are not worth the money. They add no additional security controls, so they are as useful (or useless) as a Domain Validated (DV) certificate from a security point-of-view. The only thing they do is restore CA profit levels eroded by the Race to the Bottom.
Second question is : Does any have a list of other authorities that both Android and Apple trust by default?
Be careful about asking for lists of things or favorite things, etc. That's kind of off-topic for Stack Overflow.
socket = io.connect(connectionUrl,
{
secure : true,
port : 443,
reconnection : true,
reconnectionDelay : 1000,
reconnectionDelayMax : 5000,
timeout : 20000
});
You are going to need to do a little more here. In particular, you are going to need to supply the server's certificate or the CA that certifies the server. My PhoneGap book does not detail how to change or pin a certificate. But that's what you need to do.
If PhoneGap does not allow you to pint the certificate (shame on them - file a bug report), then you have to fall back to the browser security model and the CA zoo. In the browser security model, any trust anchor or CA can claim to certify your commerce site (even the wrong ones). In this case, use a StartCom or CACert.
The browser security model and CA zoo breaks down more often that you'd expect. For example, over the last 2 years, here's the CAs and subordinate CAs that have failed (that we know about): Diginotar, Trustwave, TurkTrust, National Informatics Centre (NIC) of India, French Ministry of Finance. For a brief history of their failures, see Risk/History at CACert. (You should do anything you can to avoid the browser security model.)