On Sunday, 2 August 2020 16:09:32 PDT Hamish Moffatt wrote: > On 3/8/20 9:05 am, Alexander Carôt wrote: > >> I repeat: whatever you do, don't ship a private key. > > > > Allright - will consider alternative ideas. > > Consider generating your own root CA certificate and asking your users > to install that in their browser. Then sign the site certificate (for a > non-existent, non-registerable domain) with that.
Sorry, I might be missing some critical piece of information: is it a browser that is connecting to your websocket service? I thought it was a web view, whose CA list you could control. If you can't programmatically control the CA list of the WS client, then I don't see a secure solution. Doing what Hamish just suggested is not a good idea either, as becoming a CA has huge implications. If you get hacked, then your clients can get hacked too. And you become a target of hacks because your clients are installing your root CA. My suggestion of generating on each client works only so long as you control both sides of the websocket connection (client and server). -- Thiago Macieira - thiago.macieira (AT) intel.com Software Architect - Intel DPG Cloud Engineering _______________________________________________ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest
