[security] add client verification of server certificate
Allow the client to require a specific certificate or certificate authority on the server. Manictime carries a lot of potentially sensitive information for me. In theory if someone wanted, they could create a server that would accept any credentials from a manic time client and accepts the entire upload by pretending to be the server the client normally connects to. This would allow the client to validate that the server is in fact who is expected. And as a result stop this potential information leak.
On a more practical note where would this be useful:
You have a laptop that connects to a manictime server at home on a specific IP. You take it somewhere and connect to a different network with a malicious actor that created a fake server and controls DNS or happens to pick the right IP that my desktop client wants to talk to. The client wont check who its connecting to and it would upload all my data to someone else.
Next scenario is basically the same but for an android phone. The actor would now potentially have all my call history including contact names and phone numbers.
For outbound connections firewalls generally won't help... Not without a lot of magic anyway.
I don't understand this use case.
If ManicTime server is on xyz.com domain, certificate is specific to this address. Even if a malicious actor comes between it does not have correct certificate for this domain.