#1

Within the enterprise environment, occasionally some hosts are served with corporate internal CA. And, these root certificates are registered in each device user store.

But obsidian (android) looks only trusts certificates in the system store.

So, retrieving web content or accessing server with some plugins (e.g., ReadItLater, Auto Link Title, or Self-hosted LiveSync), failed.

I know it’s disabled by default since API level 24.
But if you add “user” to certificate src, It would be very useful.

Could you possibly consider it?

Edited: Moved into Mobile Category

1 Like
External Images over http don't load on Android preview
#2

I renamed this thread to clarify its intent. For anyone who stumbles upon this thread in the future, allowing this will let whoever provided you the root certificate (state or corporate) to spy on you (perform a men in the middle attack).

Something like this:

#3

You are right to be concerned. That’s right, if an untrusted root certificate has been installed, may MITM works.

On the other hand, it’s also true that some people want to access the endpoint that is non-secure or signed by a local CA.

For example, in a corporate environment, it may be used for various reasons, and the same is true for local testing.

Of course, it is safe to prohibit access to all addresses, but is it possible to add a feature to register addresses that may be accessed as an “allowlist” and not prohibit access to those addresses?

This would be very helpful.