Re: override HTTPS certificate failure

Wed, 26 Oct 2016 08:24:44 -0700 


On 26/10/2016 15:42, Trevor DeVore wrote:

On Wed, Oct 26, 2016 at 9:21 AM, Peter TB Brett <peter.br...@livecode.com>
wrote:




On 26/10/2016 14:42, Trevor DeVore wrote:


Peter,

I agree that in most cases you don’t want people bypassing these warnings.
There are situations in software development where people testing software
against staging servers need to connect over https without the
verification
step. That is why I had to implement it in my custom libURL version.



There are several other enormously superior options.



Perhaps, but for testing purposes we don’t really care about implementing
them :-) Here is my question for you - are you arguing that LiveCode (a



You probably should care about implementing them.  I can think of 
several ways to exploit this situation, especially if your test servers 
are not on the same private network as the developers who are accessing 
them.



development tool) should not have the ability to allow a developer to
create an application that allows a self-signed certificated that can’t be
verified to bypass the verification process for that particular server?



Not at all! I'm saying that LiveCode already does provide the 
capability.  So there's no need to assemble a massive cannon, load it 
with explosive shells, and point it at our less security-conscious 
LiveCode developers' end-users.



I believe that it's a fantastic idea to deprecate 
libUrlSetSSLVerification, replacing it with a more fine-grained property 
that lets you select specific hosts!  It would be even better to couple 
this with a way to make libURL _only_ accept a specific, predefined 
certificate for a particular host (sort of the opposite of disabling 
verification) -- "certificate pinning", basically.



I believe that it's a bad idea to give LiveCode a built-in "feature" for 
making it easy for app end-users to ignore cert verification failures.



I believe that it's a really really bad idea to download completely 
unverified certificates and permanently add them to the list of certs 
that your app trusts implicitly.


                                               Peter

--
Dr Peter Brett <peter.br...@livecode.com>
LiveCode Technical Project Manager

lcb-mode for Emacs: https://github.com/peter-b/lcb-mode

_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
























					Reply via email to