• Officer Johnny Holzkopf (unregistered)

    Return Frist

  • (nodebb)

    "What woulf possibly go false?"

  • Sauron (unregistered)

    Checking the validity of TLS certificates is overrated: everyone knows that the only way to make an app secure is to display padlock icons in the GUI. ;-)

  • TheCPUWizard (unregistered)

    Without context it is impossible to know.... in many newer systems, the validity is determined prior to the payload reaching the application [this was not always the case]. So "dummy out" the internal [now redundant] check can save performance - yes it might be better to refactor out completely.

  • HO (unregistered)

    I have used a variation of the posted, to override .NETs default check. ๐˜ฝ๐™ช๐™ฉ ๐™ค๐™ฃ๐™ก๐™ฎ ๐™–๐™จ ๐™–๐™ฃ ๐™ค๐™ฅ๐™ฉ๐™ž๐™ค๐™ฃ.

    Fex consider: An internal server that insists on https, but at best has a self signed cert, and your client is on a different domain.

    If IgnoreCertErrors = True Then Net.ServicePointManager.ServerCertificateValidationCallback = AddressOf AcceptAnything

    Private Function AcceptAnything() As Boolean Return True End Function

  • Alexander (unregistered)

    Actually, it's not a bad decision.

    Development model "from top to the bottom": make empty functions for every substep and add content later.

    Of course, adding "TODO" comment, or, better - assert() or log("not implemented") statement - will be much better.

  • dusoft (unregistered)

    "What woulf possibly go File Not Found?"

  • (nodebb)

    Not much of a wtf. I have used the same code in the past (in C#) to disable certificate validation in non-production environments

  • Duke of New York (unregistered)

    return "Soitainly!"

  • (nodebb) in reply to tom103

    Even in production environments ignoring certs can be the way to go. Once did work for a client and all servers in their DMZ ignored internal certs because company mandated 6 month max-age certs for all servers cause reasons. Obviously that's rather silly in an isolated micro services cluster where you would have to update dozens of instance constantly, so devs just ignored cert checks after their unlimited certs got deemed to unsafe by some buerocrats. Ah security theater, we all love it.

  • löchlein deluxe (unregistered)

    Well yes. Because the other side has short-lived certificates, so they're secure by definition. ;-)

  • (nodebb)

    In the early days of .NET actually doing proper cert validation correctly was enormously difficult. So yeah, just making it shut up was done.

    As a separate matter to the above Another way to view this function is as a // TODO that never got touched again.

    Dev: But PHB, what about our technical debt and gaping security holes? PHB: Who's got time to worry about that crap? It works; ship it.

  • (nodebb)

    It could also be that the application used to run on its own and thus had to do its own validation but has been running via a regular web server which does the validation itself, rendering the app's original check useless.

  • hwertz (unregistered) in reply to MaxiTB
    Even in production environments ignoring certs can be the way to go. Once did work for a client and all servers in their DMZ ignored internal certs because company mandated 6 month max-age certs for all servers cause reasons. Obviously that's rather silly in an isolated micro services cluster where you would have to update dozens of instance constantly

    Agreed this is silly; but, I would have thought a letsencrypt-style thing could have been done. That waits until your old certs are about to expire and automatically makes some new ones. I probably would have done just what these devs did, but there would be a nice way to distribute new certs automatically.

  • hwertz (unregistered) in reply to MaxiTB

    "Even in production environments ignoring certs can be the way to go. Once did work for a client and all servers in their DMZ ignored internal certs because company mandated 6 month max-age certs for all servers cause reasons. Obviously that's rather silly in an isolated micro services cluster where you would have to update dozens of instance constantly"

    Agreed this is silly; but, I would have thought a letsencrypt-style thing could have been done. That waits until your old certs are about to expire and automatically makes some new ones. I probably would have done just what these devs did, but there would be a nice way to distribute new certs automatically.

  • piqpoq (unregistered)

    I spent about 5 minutes trying to figure out how to scroll the textbox on the archives page for this post (can't in FF, because the entire thing seems to be one giant link, so scrolling doesn't work)... just so I could finish reading the method signature... before giving up on debugging someone TDWTF and realizing that it just returns true, which is actually visible without scrolling.

Leave a comment on “Certificate of Security”

Log In or post as a guest

Replying to comment #:

« Return to Article