Https, sslVerification, certificates - huh?

Andre Garzia andre at andregarzia.com
Mon Oct 25 09:11:48 EDT 2010 

Terry,

There are two different things happening here. One is SSL encryption which
protects the communication between your machine and the remote machine, the
other is user authentication that protects the other machine from
unauthorized access.

For LiveCode to trust/accept an SSL certificate as verified, it must be
issued by some certificate authority (CA) that is known. Most operating
systems come with a list of known CA or something similar, sorry for my lack
of proper terminology but I can't recall the name of that file. If you try
establish a connection to a secure server and the certificate provided by
that server is not from a known CA due to one of the possible facts:

* that the CA file is outdated or not found
* the remote guys used some CA that is not common and not on most CA files
* the remote guys are using a self-signed certificate meaning they are
acting like their own authority.

This will trigger an error on the SSL library, not an untrusted connection
or encryption error but a CA verification error. The connection still works
and is secure but the certificate can't be verified. Basically it is an
error of the type "we don't know who issued this damn thing so we're
screaming".

You're still protected in terms of a technical standpoint. Checking out the
error spilled by libURL might help you understand what is actually happening
such as "is it self-signed", "is it expired"... but the SSL connection will
still hold.

When you use set libURLSetVerification to False you're just bypassing this
verification step and jumping to the actual business of "hey machine, just
encrypt this damn connection will you!".

The authentication side happens on another layer. After the secure
connection is stablished and that is TCP/IP juggling bytes like those street
magicians, you will face the HTTP Authentication layer which is like that
really big bouncer at the front door of that club you want to enter. If you
passed the magician with the really entangled bytes, then, you need to
present your credentials to the bouncer or you will not be allowed in.
Different things on the same street but you need to pass from one to the
other to arrive at your desired destination.

Hope this helps
andre "Question the Certificate Authority!!!" garzia

More information about the use-livecode mailing list