i want to replace HttpUrlConnection in android app with okhttp3, because it makes for much cleaner code, doesn’t depend on platform implementation that much, and I already use it anyway so having two http client libraries annoys me.
this brings me to self signed certificates, i.e. allowing to trust any certificate. this was implemented long before letsencrypt became a thing and we were generally all MITMed less. nowadays i think having this option is harmful because it provides an illusion of security to people who don’t know better, and in my experience, people generally don’t know better.
it’s been a while since i tried, but i think installing your own CA certificates is still a thing on android, if you don’t want to use letsencrypt or other platform-trusted SSL certificate vendor.
therefore, i want to remove this whole trusting anything thing for the okhttp rewrite. comments?
oh and before anyone asks, i think installing your own certificates in the app is redundant and it’s not going to happen.