You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cordova.apache.org by GitBox <gi...@apache.org> on 2020/08/05 22:35:34 UTC
[GitHub] [cordova-docs] breautek opened a new pull request #1109: docs: Security revisements
breautek opened a new pull request #1109:
URL: https://github.com/apache/cordova-docs/pull/1109
<!--
Please make sure the checklist boxes are all checked before submitting the PR. The checklist is intended as a quick reference, for complete details please see our Contributor Guidelines:
http://cordova.apache.org/contribute/contribute_guidelines.html
Thanks!
-->
### Platforms affected
docs
### Motivation and Context
<!-- Why is this change required? What problem does it solve? -->
<!-- If it fixes an open issue, please link to the issue here. -->
Closes https://github.com/apache/cordova-docs/issues/1080
### Description
<!-- Describe your changes in detail -->
Adds a new section, recommending the use of SSL/TLS. This section mentions the availability of some free tools and services such as Let's Encrypt, and SSL Labs.
Additionally, I have revised the existing `Self-signed certificates`. The notable changes are removing text suggesting to use non-https or cleartext connections. In general, using a trusted certificate authority is encouraged, but noting a specific instance where one may use self-signed certificates.
### Testing
<!-- Please describe in detail how you tested your changes. -->
Ran `npm test`
### Checklist
- [x] I've run the tests to see all new and existing tests pass
- [x] I added automated test coverage as appropriate for this change
- [x] Commit is prefixed with `(platform)` if this change only applies to one platform (e.g. `(android)`)
- [x] If this Pull Request resolves an issue, I linked to the issue in the text above (and used the correct [keyword to close issues using keywords](https://help.github.com/articles/closing-issues-using-keywords/))
- [x] I've updated the documentation if necessary
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org
[GitHub] [cordova-docs] breautek commented on a change in pull request #1109: docs: Security revisements
Posted by GitBox <gi...@apache.org>.
breautek commented on a change in pull request #1109:
URL: https://github.com/apache/cordova-docs/pull/1109#discussion_r466181930
##########
File path: www/docs/en/dev/guide/appdev/security/index.md
##########
@@ -53,11 +53,21 @@ There are ways to approximate certificate pinning, such as checking the server's
There are also plugins that can do true certificate pinning for some platforms, assuming your app is able to do all of its network requests using the plugin (i.e.: no traditional XHR/AJAX requests, etc).
+## Using TLS/SSL
+
+If your app communicates to an external server, it should be communicating using modern encryption standards. Use `https` protocol whenever is possible.
+
+[Let's Encrypt](https://letsencrypt.org/) is a free, automated, and open certificate authority provided by the nonprofit [Internet Security Research Group](https://www.abetterinternet.org/). Let's Encrypt will offer free standard certificates, which will be sufficient for most developers. Enterprise organizations may still want to use a traditional certificate authority that offers more advanced features such as [Extended Validation](https://en.wikipedia.org/wiki/Extended_Validation_Certificate) or [Organization Validation](https://en.wikipedia.org/wiki/Public_key_certificate#Organization_validation) certificates.
Review comment:
I think the purpose is that you have a certificate authority confirm the identity of an agent who is representing an organization. The certificate authority will put the organization name on the certificate. Microsoft for example uses one.
I've applied your suggestions about the EV and also corrected some unrelated grammer. :+1:
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org
[GitHub] [cordova-docs] erisu merged pull request #1109: docs: Security revisements
Posted by GitBox <gi...@apache.org>.
erisu merged pull request #1109:
URL: https://github.com/apache/cordova-docs/pull/1109
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org
[GitHub] [cordova-docs] NiklasMerz commented on a change in pull request #1109: docs: Security revisements
Posted by GitBox <gi...@apache.org>.
NiklasMerz commented on a change in pull request #1109:
URL: https://github.com/apache/cordova-docs/pull/1109#discussion_r466179729
##########
File path: www/docs/en/dev/guide/appdev/security/index.md
##########
@@ -53,11 +53,21 @@ There are ways to approximate certificate pinning, such as checking the server's
There are also plugins that can do true certificate pinning for some platforms, assuming your app is able to do all of its network requests using the plugin (i.e.: no traditional XHR/AJAX requests, etc).
+## Using TLS/SSL
+
+If your app communicates to an external server, it should be communicating using modern encryption standards. Use `https` protocol whenever is possible.
+
+[Let's Encrypt](https://letsencrypt.org/) is a free, automated, and open certificate authority provided by the nonprofit [Internet Security Research Group](https://www.abetterinternet.org/). Let's Encrypt will offer free standard certificates, which will be sufficient for most developers. Enterprise organizations may still want to use a traditional certificate authority that offers more advanced features such as [Extended Validation](https://en.wikipedia.org/wiki/Extended_Validation_Certificate) or [Organization Validation](https://en.wikipedia.org/wiki/Public_key_certificate#Organization_validation) certificates.
Review comment:
No idea TBH. I never came across those. I don't really understand what they are and why you would get those.
EV were just in my memoray for security news like https://www.troyhunt.com/extended-validation-certificates-are-really-really-dead/
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org
[GitHub] [cordova-docs] breautek commented on a change in pull request #1109: docs: Security revisements
Posted by GitBox <gi...@apache.org>.
breautek commented on a change in pull request #1109:
URL: https://github.com/apache/cordova-docs/pull/1109#discussion_r466177449
##########
File path: www/docs/en/dev/guide/appdev/security/index.md
##########
@@ -53,11 +53,21 @@ There are ways to approximate certificate pinning, such as checking the server's
There are also plugins that can do true certificate pinning for some platforms, assuming your app is able to do all of its network requests using the plugin (i.e.: no traditional XHR/AJAX requests, etc).
+## Using TLS/SSL
+
+If your app communicates to an external server, it should be communicating using modern encryption standards. Use `https` protocol whenever is possible.
+
+[Let's Encrypt](https://letsencrypt.org/) is a free, automated, and open certificate authority provided by the nonprofit [Internet Security Research Group](https://www.abetterinternet.org/). Let's Encrypt will offer free standard certificates, which will be sufficient for most developers. Enterprise organizations may still want to use a traditional certificate authority that offers more advanced features such as [Extended Validation](https://en.wikipedia.org/wiki/Extended_Validation_Certificate) or [Organization Validation](https://en.wikipedia.org/wiki/Public_key_certificate#Organization_validation) certificates.
Review comment:
Is organization validation is still relevant?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org
[GitHub] [cordova-docs] NiklasMerz commented on a change in pull request #1109: docs: Security revisements
Posted by GitBox <gi...@apache.org>.
NiklasMerz commented on a change in pull request #1109:
URL: https://github.com/apache/cordova-docs/pull/1109#discussion_r466209954
##########
File path: www/docs/en/dev/guide/appdev/security/index.md
##########
@@ -53,11 +53,21 @@ There are ways to approximate certificate pinning, such as checking the server's
There are also plugins that can do true certificate pinning for some platforms, assuming your app is able to do all of its network requests using the plugin (i.e.: no traditional XHR/AJAX requests, etc).
+## Using TLS/SSL
+
+If your app communicates to an external server, it should be communicating using modern encryption standards. Use `https` protocol whenever is possible.
+
+[Let's Encrypt](https://letsencrypt.org/) is a free, automated, and open certificate authority provided by the nonprofit [Internet Security Research Group](https://www.abetterinternet.org/). Let's Encrypt will offer free standard certificates, which will be sufficient for most developers. Enterprise organizations may still want to use a traditional certificate authority that offers more advanced features such as [Extended Validation](https://en.wikipedia.org/wiki/Extended_Validation_Certificate) or [Organization Validation](https://en.wikipedia.org/wiki/Public_key_certificate#Organization_validation) certificates.
Review comment:
Makes sense :+1
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org
[GitHub] [cordova-docs] NiklasMerz commented on a change in pull request #1109: docs: Security revisements
Posted by GitBox <gi...@apache.org>.
NiklasMerz commented on a change in pull request #1109:
URL: https://github.com/apache/cordova-docs/pull/1109#discussion_r466175837
##########
File path: www/docs/en/dev/guide/appdev/security/index.md
##########
@@ -53,11 +53,21 @@ There are ways to approximate certificate pinning, such as checking the server's
There are also plugins that can do true certificate pinning for some platforms, assuming your app is able to do all of its network requests using the plugin (i.e.: no traditional XHR/AJAX requests, etc).
+## Using TLS/SSL
+
+If your app communicates to an external server, it should be communicating using modern encryption standards. Use `https` protocol whenever is possible.
+
+[Let's Encrypt](https://letsencrypt.org/) is a free, automated, and open certificate authority provided by the nonprofit [Internet Security Research Group](https://www.abetterinternet.org/). Let's Encrypt will offer free standard certificates, which will be sufficient for most developers. Enterprise organizations may still want to use a traditional certificate authority that offers more advanced features such as [Extended Validation](https://en.wikipedia.org/wiki/Extended_Validation_Certificate) or [Organization Validation](https://en.wikipedia.org/wiki/Public_key_certificate#Organization_validation) certificates.
Review comment:
I would not mention Extended Validation as it's essentially a thing of the past. Browsers stopped or will stop showing the special "green bar" and badges for EV and they no longer make sense.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org
[GitHub] [cordova-docs] NiklasMerz commented on a change in pull request #1109: docs: Security revisements
Posted by GitBox <gi...@apache.org>.
NiklasMerz commented on a change in pull request #1109:
URL: https://github.com/apache/cordova-docs/pull/1109#discussion_r466209954
##########
File path: www/docs/en/dev/guide/appdev/security/index.md
##########
@@ -53,11 +53,21 @@ There are ways to approximate certificate pinning, such as checking the server's
There are also plugins that can do true certificate pinning for some platforms, assuming your app is able to do all of its network requests using the plugin (i.e.: no traditional XHR/AJAX requests, etc).
+## Using TLS/SSL
+
+If your app communicates to an external server, it should be communicating using modern encryption standards. Use `https` protocol whenever is possible.
+
+[Let's Encrypt](https://letsencrypt.org/) is a free, automated, and open certificate authority provided by the nonprofit [Internet Security Research Group](https://www.abetterinternet.org/). Let's Encrypt will offer free standard certificates, which will be sufficient for most developers. Enterprise organizations may still want to use a traditional certificate authority that offers more advanced features such as [Extended Validation](https://en.wikipedia.org/wiki/Extended_Validation_Certificate) or [Organization Validation](https://en.wikipedia.org/wiki/Public_key_certificate#Organization_validation) certificates.
Review comment:
Makes sense +1. Thanks
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org