override HTTPS certificate failure

Trevor DeVore lists at mangomultimedia.com
Wed Oct 26 11:31:00 EDT 2016


On Wed, Oct 26, 2016 at 10:16 AM, Peter TB Brett <peter.brett at livecode.com>
wrote:

>
>
> On 26/10/2016 15:42, Trevor DeVore wrote:
>>
>>
>> Perhaps, but for testing purposes we don’t really care about implementing
>> them :-) Here is my question for you - are you arguing that LiveCode (a
>>
>
> You probably should care about implementing them.  I can think of several
> ways to exploit this situation, especially if your test servers are not on
> the same private network as the developers who are accessing them.


I realize that. I’m okay with that in certain situations. I’m also in favor
of adding free SSL certs to a staging server (I come from a time long ago
where certs weren’t free) on occasion. I just want to be able to solve the
problem how I see fit for my needs.


> development tool) should not have the ability to allow a developer to
>> create an application that allows a self-signed certificated that can’t be
>> verified to bypass the verification process for that particular server?
>>
>
> Not at all! I'm saying that LiveCode already does provide the capability.


Not exactly. It only has a way to turn it off wholesale.


> So there's no need to assemble a massive cannon, load it with explosive
> shells, and point it at our less security-conscious LiveCode developers'
> end-users.


Agreed that we don’t want to do that.


> I believe that it's a fantastic idea to deprecate
> libUrlSetSSLVerification, replacing it with a more fine-grained property
> that lets you select specific hosts!


We are in agreement here.


> It would be even better to couple this with a way to make libURL _only_
> accept a specific, predefined certificate for a particular host (sort of
> the opposite of disabling verification) -- "certificate pinning", basically.
>
> I believe that it's a bad idea to give LiveCode a built-in "feature" for
> making it easy for app end-users to ignore cert verification failures.
>

I think I’m in agreement with you here as well. That brings us back to the
current branch I’ve been working on. The developer would have to define a
callback and handle the decision making process. libURL just provides APIs
for adding hosts that libURL will bypass.


> I believe that it's a really really bad idea to download completely
> unverified certificates and permanently add them to the list of certs that
> your app trusts implicitly.


Agreed.

-- 
Trevor DeVore
ScreenSteps
www.screensteps.com    -    www.clarify-it.com



More information about the use-livecode mailing list