“Hey, apparently, the SSL cert on our web-service expired… in 2013.”

Laura’s company had a web-service that provided most of their business logic, and managed a suite of clients for interacting with that service. Those clients definitely used SSL to make calls to that web-service. And Laura knew that there were a bunch of calls to ValidateServerCertificate as part of the handshaking process, so they were definitely validating it, right?

private static bool ValidateServerCertificate(
  object sender,
  System.Security.Cryptography.X509Certificates.X509Certificate certificate,
  System.Security.Cryptography.X509Certificates.X509Chain chain,
  System.Net.Security.SslPolicyErrors sslPolicyErrors)
    return true;

Well, that’s one kind of validation rule. It’s guaranteed to never fail, if nothing else.

[Advertisement] ProGet can centralize your organization's software applications and components to provide uniform access to developers and servers. Check it out!