Bob Sneidar wrote:
> On Oct 26, 2016, at 08:16 , Peter TB Brett <peter.brett at
livecode.com<mailto:peter.brett at livecode.com>> wrote:
>
>> I believe that it's a really really bad idea to download completely
>> unverified certificates and permanently add them to the list of certs
>> that your app trusts implicitly.
>
> By unverified, do you mean self-signed as well? Too many devices and
> servers use self-signed certs to exclude them.
They're not excluded. Peter also wrote:
> Not at all! I'm saying that LiveCode already does provide the
> capability.
...
> I believe that it's a fantastic idea to deprecate
> libUrlSetSSLVerification, replacing it with a more fine-grained
> property that lets you select specific hosts! It would be even
> better to couple this with a way to make libURL _only_ accept a
> specific, predefined certificate for a particular host (sort of
> the opposite of disabling verification) -- "certificate pinning",
> basically.
>
> I believe that it's a bad idea to give LiveCode a built-in "feature"
> for making it easy for app end-users to ignore cert verification
> failures.
In brief: LC does this now, it could be made easier, but we don't
really want to make it too easy because it would then become a sort of
anti-feature.
It's also an ever-smaller use-case, no longer like:
> The whole point to self signed certs is so that the world is not
> forced to purchase a cert from an authority for every single device
> in order to be relatively secure.
https://letsencrypt.org/
I don't believe it's hyperbole to suggest Let's Encrypt is one of the
most significant projects of our time. The web made safer, for
everyone, for free.
Dreamhost has been offering this for months in their control panel, and
the CPanel team is in late-stage Beta with their support for Let's
Encrypt so most other shared hosting companies will be providing it soon.
And if you run a dedicated server or VPS you can install it right now
yourself. It's even in the Ubuntu repos so you can get it and keep it
up to date with apt-get.
It's an awesome game-changer, with greater safety than many annual certs
by virtue of a 90-day expiration with automated renewal.
It's awesome.
And did I mention it's free? Some of the biggest names in the industry
are funding it, and they're accepting sponsorships and donations as well
- I made a modest donation recently:
https://letsencrypt.org/donate/
--
Richard Gaskin
Fourth World Systems
Software Design and Development for the Desktop, Mobile, and the Web
____________________________________________________________________
ambassa...@fourthworld.com http://www.FourthWorld.com
_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
