override HTTPS certificate failure
Trevor DeVore
lists at mangomultimedia.com
Wed Oct 26 09:42:59 EDT 2016
On Wed, Oct 26, 2016 at 2:01 AM, Peter TB Brett <peter.brett at livecode.com>
wrote:
> On 25/10/2016 20:41, Lyn Teyla wrote:
>
> 2. If the user elects to trust the certificate, save the certificate
>> details received from the server during that first connection.
>>
>
> You've forgotten an extremely important step: train the user to be able to
> distinguish a valid-but-not-trusted certificate from an invalid one. No-one
> has succededed in doing this, and research has shown that offering users
> the ability to override certificate validation failures merely trains users
> to ignore certificate failures.
>
> Allowing on-demand verification-skipping is contrary to security best
> practice and will expose you to risk.
>
Peter,
I agree that in most cases you don’t want people bypassing these warnings.
There are situations in software development where people testing software
against staging servers need to connect over https without the verification
step. That is why I had to implement it in my custom libURL version.
--
Trevor DeVore
ScreenSteps
www.screensteps.com - www.clarify-it.com
More information about the use-livecode
mailing list