override HTTPS certificate failure

Peter TB Brett peter.brett at livecode.com
Wed Oct 26 11:16:36 EDT 2016 


On 26/10/2016 15:42, Trevor DeVore wrote:
> On Wed, Oct 26, 2016 at 9:21 AM, Peter TB Brett <peter.brett at livecode.com>
> wrote:
>
>>
>>
>> On 26/10/2016 14:42, Trevor DeVore wrote:
>>>
>>> Peter,
>>>
>>> I agree that in most cases you don’t want people bypassing these warnings.
>>> There are situations in software development where people testing software
>>> against staging servers need to connect over https without the
>>> verification
>>> step. That is why I had to implement it in my custom libURL version.
>>>
>>
>> There are several other enormously superior options.
>>
>
> Perhaps, but for testing purposes we don’t really care about implementing
> them :-) Here is my question for you - are you arguing that LiveCode (a

You probably should care about implementing them.  I can think of 
several ways to exploit this situation, especially if your test servers 
are not on the same private network as the developers who are accessing 
them.

> development tool) should not have the ability to allow a developer to
> create an application that allows a self-signed certificated that can’t be
> verified to bypass the verification process for that particular server?

Not at all! I'm saying that LiveCode already does provide the 
capability.  So there's no need to assemble a massive cannon, load it 
with explosive shells, and point it at our less security-conscious 
LiveCode developers' end-users.

I believe that it's a fantastic idea to deprecate 
libUrlSetSSLVerification, replacing it with a more fine-grained property 
that lets you select specific hosts!  It would be even better to couple 
this with a way to make libURL _only_ accept a specific, predefined 
certificate for a particular host (sort of the opposite of disabling 
verification) -- "certificate pinning", basically.

I believe that it's a bad idea to give LiveCode a built-in "feature" for 
making it easy for app end-users to ignore cert verification failures.

I believe that it's a really really bad idea to download completely 
unverified certificates and permanently add them to the list of certs 
that your app trusts implicitly.

                                                Peter

-- 
Dr Peter Brett <peter.brett at livecode.com>
LiveCode Technical Project Manager

lcb-mode for Emacs: https://github.com/peter-b/lcb-mode

More information about the use-livecode mailing list