Secure connection to server from PhoneGap without buing SSL certificate

Question

I want to make a secure connection for obtaining data from a data (requiring a login) in a PhoneGap application. Is there some way to do this without buying an ssl certificate?

Could I use a self signed certificate and add the certificate (or its fingerprint) to the PhoneGap application, so that it can always check that the certificate is correct and no man in the middle attack takes place?

Answer 1

Is there some way to do this without buying an ssl certificate?

Yes.

akirilov gave you one answer.

You other option is to use Startcom . They offer free Class 1 certificates. Their Certificate Authority is installed on most desktop and mobile platforms.

The bad thing about using the CA Zoo is only one CA certified your certificate (whether its Startcom, Verisidn, etc). However, any CA from the zoo can claim to be the certificate authority. So a bad guy who tricks a CA or compromises a CA will be able to obtain a certifcate for your server. We've seen both happen in the past.

You can avoid the CA Zoo with certificate pinning. See OWASP's Certificate and Public Key Pinning .

---

Could I use a self signed certificate and add the certificate (or its fingerprint) to the PhoneGap application, so that it can always check that the certificate is correct and no man in the middle attack takes place?

Yes, that's fine too. Your Phone Gap application will need to perform the certificate validation, and accept your self-signed cert.

To do similar in .Net, Java, iOS, etc, you would pin your server's certificate since you know what it is in advance. I don't know how to do it in PhoneGap, though.

For information on pinning in .Net, Java, iOS, etc, see OWASP's Certificate and Public Key Pinning . There's sample code available for major platforms, including OpenSSL.