override HTTPS certificate failure

Richard Gaskin ambassador at fourthworld.com
Wed Oct 26 12:26:46 EDT 2016


Bob Sneidar wrote:

 > On Oct 26, 2016, at 08:16 , Peter TB Brett <peter.brett at 
livecode.com<mailto:peter.brett at livecode.com>> wrote:
 >
 >> I believe that it's a really really bad idea to download completely
 >> unverified certificates and permanently add them to the list of certs
 >> that your app trusts implicitly.
 >
 > By unverified, do you mean self-signed as well? Too many devices and
 > servers use self-signed certs to exclude them.

They're not excluded.  Peter also wrote:

 > Not at all! I'm saying that LiveCode already does provide the
 > capability.
...
 > I believe that it's a fantastic idea to deprecate
 > libUrlSetSSLVerification, replacing it with a more fine-grained
 > property that lets you select specific hosts!  It would be even
 > better to couple this with a way to make libURL _only_ accept a
 > specific, predefined certificate for a particular host (sort of
 > the opposite of disabling verification) -- "certificate pinning",
 > basically.
 >
 > I believe that it's a bad idea to give LiveCode a built-in "feature"
 > for making it easy for app end-users to ignore cert verification
 > failures.

In brief:  LC does this now, it could be made easier, but we don't 
really want to make it too easy because it would then become a sort of 
anti-feature.

It's also an ever-smaller use-case, no longer like:

 > The whole point to self signed certs is so that the world is not
 > forced to purchase a cert from an authority for every single device
 > in order to be relatively secure.

https://letsencrypt.org/

I don't believe it's hyperbole to suggest Let's Encrypt is one of the 
most significant projects of our time.  The web made safer, for 
everyone, for free.

Dreamhost has been offering this for months in their control panel, and 
the CPanel team is in late-stage Beta with their support for Let's 
Encrypt so most other shared hosting companies will be providing it soon.

And if you run a dedicated server or VPS you can install it right now 
yourself.  It's even in the Ubuntu repos so you can get it and keep it 
up to date with apt-get.

It's an awesome game-changer, with greater safety than many annual certs 
by virtue of a 90-day expiration with automated renewal.

It's awesome.

And did I mention it's free?  Some of the biggest names in the industry 
are funding it, and they're accepting sponsorships and donations as well 
- I made a modest donation recently:
https://letsencrypt.org/donate/

-- 
  Richard Gaskin
  Fourth World Systems
  Software Design and Development for the Desktop, Mobile, and the Web
  ____________________________________________________________________
  Ambassador at FourthWorld.com                http://www.FourthWorld.com




More information about the use-livecode mailing list