• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: App Transport Security exceptions App Store signed app
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: App Transport Security exceptions App Store signed app

  • Subject: Re: App Transport Security exceptions App Store signed app
  • From: Jens Alfke <email@hidden>
  • Date: Wed, 27 Jan 2016 09:25:39 -0800
> On Jan 27, 2016, at 7:32 AM, Trygve Inda <email@hidden> wrote:
>
> It is basically a cost issue. It is expensive to set up SSL certificates on
> 8 different servers... It would cost us about $700/yr

Sounds like you’re being overcharged. SSL on hosted domains used to be pricey (partly due to the CPU overhead of the encryption) but hosts like Dreamhost are now offering it as a free add-on. And Let’s Encrypt makes getting and maintaining a cert free and fairly easy.

	https://www.dreamhost.com/blog/2016/01/20/free-ssltls-certificates-at-dreamhost-with-lets-encrypt/
	https://letsencrypt.org

> and add little benefit as it has been working fine with http (no s) for more than 10 years.


This is kind of like living in a small town that’s now grown into a big city, and still refusing to lock your doors at night. :)
The site may have been fine so far, but the world around it is changing. Both attacks against and surveillance of cleartext connections are increasing, and there’s a growing consensus that unencrypted HTTP should be deprecated. Apple’s ATS is a sign of that.
	https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/
	https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure
I think it’s pretty likely that, within a year or so, users of your website or app* are going to be seeing scary security warnings in their browser or mobile device unless you move to HTTPS.

—Jens

* My bet is that the next step (in iOS 10 / OS X 10.12?) is that the OS will put up a security alert when your app makes a non-SSL connection. Something like “FooApp wants to make an insecure connection to www.foo.com. Data could be eavesdropped on or tampered with. Is this OK?” Then after that, a year or two later, they’ll start rejecting apps from the App Store for this.
_______________________________________________

Cocoa-dev mailing list (email@hidden)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: App Transport Security exceptions App Store signed app
      • From: Trygve Inda <email@hidden>
References: 
 >Re: App Transport Security exceptions App Store signed app (From: Trygve Inda <email@hidden>)

  • Prev by Date: Re: LGPL code in the Mac App Store?
  • Next by Date: Re: App Transport Security exceptions App Store signed app
  • Previous by thread: Re: App Transport Security exceptions App Store signed app
  • Next by thread: Re: App Transport Security exceptions App Store signed app
  • Index(es):
    • Date
    • Thread