Re: override HTTPS certificate failure

On 27/10/2016 00:19, Charles Warwick wrote: You probably should care about implementing them. I can think of several ways to exploit this situation, especially if your test servers are not on the same private network as the developers who are accessing them. That isn't feasible if the app dev

Re: override HTTPS certificate failure

On 27/10/2016 9:19 AM, Charles Warwick wrote: I believe that it's a fantastic idea to deprecate libUrlSetSSLVerification, replacing it with a more fine-grained property that lets you select specific hosts! It would be even better to couple this with a way to make libURL _only_ accept a speci

Re: override HTTPS certificate failure

On 27/10/2016 1:16 AM, Peter TB Brett wrote: On 26/10/2016 15:42, Trevor DeVore wrote: Perhaps, but for testing purposes we don’t really care about implementing them :-) Here is my question for you - are you arguing that LiveCode (a You probably should care about implementing them. I can th

Re: override HTTPS certificate failure

I'll check that out. I'm uncertain how I could get a server to request a new cert every 90 days, and I'm sure I cannot get a copier to do it. Otherwise it soulds like I can use it for certain things here. Bob S On Oct 26, 2016, at 09:26 , Richard Gaskin mailto:ambassa...@fourthworld.com>> wro

Re: override HTTPS certificate failure

Bob Sneidar wrote: > On Oct 26, 2016, at 08:16 , Peter TB Brett livecode.com> wrote: > >> I believe that it's a really really bad idea to download completely >> unverified certificates and permanently add them to the list of certs >> that your app trusts impli

Re: override HTTPS certificate failure

By unverified, do you mean self-signed as well? Too many devices and servers use self-signed certs to exclude them. The whole point to self signed certs is so that the world is not forced to purchase a cert from an authority for every single device in order to be relatively secure. For devices

Re: override HTTPS certificate failure

On Wed, Oct 26, 2016 at 10:16 AM, Peter TB Brett wrote: > > > On 26/10/2016 15:42, Trevor DeVore wrote: >> >> >> Perhaps, but for testing purposes we don’t really care about implementing >> them :-) Here is my question for you - are you arguing that LiveCode (a >> > > You probably should care abo

Re: override HTTPS certificate failure

On 26/10/2016 15:42, Trevor DeVore wrote: On Wed, Oct 26, 2016 at 9:21 AM, Peter TB Brett wrote: On 26/10/2016 14:42, Trevor DeVore wrote: Peter, I agree that in most cases you don’t want people bypassing these warnings. There are situations in software development where people testing

Re: override HTTPS certificate failure

On Wed, Oct 26, 2016 at 9:21 AM, Peter TB Brett wrote: > > > On 26/10/2016 14:42, Trevor DeVore wrote: >> >> Peter, >> >> I agree that in most cases you don’t want people bypassing these warnings. >> There are situations in software development where people testing software >> against staging ser

Re: override HTTPS certificate failure

On 26/10/2016 14:42, Trevor DeVore wrote: On Wed, Oct 26, 2016 at 2:01 AM, Peter TB Brett wrote: On 25/10/2016 20:41, Lyn Teyla wrote: 2. If the user elects to trust the certificate, save the certificate details received from the server during that first connection. You've forgotten an

Re: override HTTPS certificate failure

On Wed, Oct 26, 2016 at 2:01 AM, Peter TB Brett wrote: > On 25/10/2016 20:41, Lyn Teyla wrote: > > 2. If the user elects to trust the certificate, save the certificate >> details received from the server during that first connection. >> > > You've forgotten an extremely important step: train the

Re: override HTTPS certificate failure

On 25/10/2016 20:41, Lyn Teyla wrote: 2. If the user elects to trust the certificate, save the certificate details received from the server during that first connection. You've forgotten an extremely important step: train the user to be able to distinguish a valid-but-not-trusted certificate

Re: override HTTPS certificate failure

Perhaps this in addition to a callback / dialog? > On 26 Oct. 2016, at 2:43 pm, Charles Warwick > wrote: > > Monte, Trevor, > > My preference for handling the overriding of HTTPS certificates would be by > adding the ability within libUrl to "get" the SSL certificate of a particular > site (

Re: override HTTPS certificate failure

Monte, Trevor, My preference for handling the overriding of HTTPS certificates would be by adding the ability within libUrl to "get" the SSL certificate of a particular site (for example a self-signed one), and then "add" that SSL certificate to a CA store that is utilised by the libUrl librar

Re: override HTTPS certificate failure

> On 26 Oct. 2016, at 11:24 am, Trevor DeVore wrote: > >> One thing I might as well say now as I’ll say it in review anyway is it >> would be better to set individual hosts rather than the entire list in one >> hit to reduce the risk of different user code clobbering each other. > > > The inte

Re: override HTTPS certificate failure

On Tue, Oct 25, 2016 at 2:36 PM, Monte Goulding wrote: > > > On 26 Oct. 2016, at 3:25 am, Trevor DeVore > wrote: > > > > https://github.com/trevordevore/livecode/commit/ > 6a5bc42abebca23e6b8aa611c8f0966b221441c6 trevordevore/livecode/commit/6a5bc42abebca23e6b8aa611c8f0966

Re: override HTTPS certificate failure

Bob Sneidar wrote: > True, but isn't the issue that a malformed cert including self signed certs > are rejected? A self signed cert is not insecure, it's just less secure than > a root signed cert, and only because a background check has been done against > the cert owner. Otherwise a self sign

Re: override HTTPS certificate failure

> On 26 Oct. 2016, at 3:25 am, Trevor DeVore wrote: > > I’m working on a libURL addition that will allow you to specify hosts that > should bypass SSL verification without turning it off completely. That way > you let the user know a certificate wasn’t verified but allow them to > override it. H

Re: override HTTPS certificate failure

On Tue, Oct 25, 2016 at 11:10 AM, Bob Sneidar wrote: > True, but isn't the issue that a malformed cert including self signed > certs are rejected? A self signed cert is not insecure, it's just less > secure than a root signed cert, and only because a background check has > been done against the c

Re: override HTTPS certificate failure

True, but isn't the issue that a malformed cert including self signed certs are rejected? A self signed cert is not insecure, it's just less secure than a root signed cert, and only because a background check has been done against the cert owner. Otherwise a self signed cert is just as valid if

Re: override HTTPS certificate failure

Thanks Lyn, that's exactly what I needed! I should have spotted it myself in the dictionary, but failed. Many thanks, Ben On 25/10/2016 16:18, Lyn Teyla wrote: Ben Rubinstein wrote: If an "https" site has a misconfigured certificate, most browsers will tell you what the problem is - and ge

Re: override HTTPS certificate failure

Ben Rubinstein wrote: > If an "https" site has a misconfigured certificate, most browsers will tell > you what the problem is - and generally give you an option (more or less > hidden) to ignore the warning and load the resource anyway. > > Loading the same resource from LC using libURL, the re

Re: override HTTPS certificate failure

+1 there ought to be a way to load the page anyway. We have, like so very many other companies an internal FQDN for our domain, and an external one strictly for the purpose of email. Why the two? Because of issues that crop up in your local DNS when creating multiple subdomains if the external a

override HTTPS certificate failure

If an "https" site has a misconfigured certificate, most browsers will tell you what the problem is - and generally give you an option (more or less hidden) to ignore the warning and load the resource anyway. Loading the same resource from LC using libURL, the result is "error application veri