• Officer Johnny Holzkopf (unregistered)

    Return Frist

  • (nodebb)

    "What woulf possibly go false?"

  • Sauron (unregistered)

    Checking the validity of TLS certificates is overrated: everyone knows that the only way to make an app secure is to display padlock icons in the GUI. ;-)

  • TheCPUWizard (unregistered)

    Without context it is impossible to know.... in many newer systems, the validity is determined prior to the payload reaching the application [this was not always the case]. So "dummy out" the internal [now redundant] check can save performance - yes it might be better to refactor out completely.

  • HO (unregistered)

    I have used a variation of the posted, to override .NETs default check. ๐˜ฝ๐™ช๐™ฉ ๐™ค๐™ฃ๐™ก๐™ฎ ๐™–๐™จ ๐™–๐™ฃ ๐™ค๐™ฅ๐™ฉ๐™ž๐™ค๐™ฃ.

    Fex consider: An internal server that insists on https, but at best has a self signed cert, and your client is on a different domain.

    If IgnoreCertErrors = True Then Net.ServicePointManager.ServerCertificateValidationCallback = AddressOf AcceptAnything

    Private Function AcceptAnything() As Boolean Return True End Function

  • Alexander (unregistered)
    Comment held for moderation.
  • dusoft (unregistered)
    Comment held for moderation.
  • (nodebb)

    Not much of a wtf. I have used the same code in the past (in C#) to disable certificate validation in non-production environments

  • Duke of New York (unregistered)
    Comment held for moderation.
  • (nodebb) in reply to tom103

    Even in production environments ignoring certs can be the way to go. Once did work for a client and all servers in their DMZ ignored internal certs because company mandated 6 month max-age certs for all servers cause reasons. Obviously that's rather silly in an isolated micro services cluster where you would have to update dozens of instance constantly, so devs just ignored cert checks after their unlimited certs got deemed to unsafe by some buerocrats. Ah security theater, we all love it.

  • löchlein deluxe (unregistered)
    Comment held for moderation.
  • (nodebb)

    In the early days of .NET actually doing proper cert validation correctly was enormously difficult. So yeah, just making it shut up was done.

    As a separate matter to the above Another way to view this function is as a // TODO that never got touched again.

    Dev: But PHB, what about our technical debt and gaping security holes? PHB: Who's got time to worry about that crap? It works; ship it.

  • (nodebb)

    It could also be that the application used to run on its own and thus had to do its own validation but has been running via a regular web server which does the validation itself, rendering the app's original check useless.

  • hwertz (unregistered) in reply to MaxiTB
    Comment held for moderation.
  • hwertz (unregistered) in reply to MaxiTB
    Comment held for moderation.
  • piqpoq (unregistered)

    I spent about 5 minutes trying to figure out how to scroll the textbox on the archives page for this post (can't in FF, because the entire thing seems to be one giant link, so scrolling doesn't work)... just so I could finish reading the method signature... before giving up on debugging someone TDWTF and realizing that it just returns true, which is actually visible without scrolling.

Leave a comment on “Certificate of Security”

Log In or post as a guest

Replying to comment #:

« Return to Article