- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best ofโฆ
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Return Frist
Admin
"What woulf possibly go false?"
Admin
Checking the validity of TLS certificates is overrated: everyone knows that the only way to make an app secure is to display padlock icons in the GUI. ;-)
Admin
Without context it is impossible to know.... in many newer systems, the validity is determined prior to the payload reaching the application [this was not always the case]. So "dummy out" the internal [now redundant] check can save performance - yes it might be better to refactor out completely.
Admin
I have used a variation of the posted, to override .NETs default check. ๐ฝ๐ช๐ฉ ๐ค๐ฃ๐ก๐ฎ ๐๐จ ๐๐ฃ ๐ค๐ฅ๐ฉ๐๐ค๐ฃ.
Fex consider: An internal server that insists on https, but at best has a self signed cert, and your client is on a different domain.
If IgnoreCertErrors = True Then Net.ServicePointManager.ServerCertificateValidationCallback = AddressOf AcceptAnything
Private Function AcceptAnything() As Boolean Return True End Function
Admin
Actually, it's not a bad decision.
Development model "from top to the bottom": make empty functions for every substep and add content later.
Of course, adding "TODO" comment, or, better - assert() or log("not implemented") statement - will be much better.
Admin
"What woulf possibly go File Not Found?"
Admin
Not much of a wtf. I have used the same code in the past (in C#) to disable certificate validation in non-production environments
Admin
return "Soitainly!"
Admin
Even in production environments ignoring certs can be the way to go. Once did work for a client and all servers in their DMZ ignored internal certs because company mandated 6 month max-age certs for all servers cause reasons. Obviously that's rather silly in an isolated micro services cluster where you would have to update dozens of instance constantly, so devs just ignored cert checks after their unlimited certs got deemed to unsafe by some buerocrats. Ah security theater, we all love it.
Admin
Well yes. Because the other side has short-lived certificates, so they're secure by definition. ;-)
Admin
In the early days of .NET actually doing proper cert validation correctly was enormously difficult. So yeah, just making it shut up was done.
As a separate matter to the above Another way to view this function is as a
// TODOthat never got touched again.Admin
It could also be that the application used to run on its own and thus had to do its own validation but has been running via a regular web server which does the validation itself, rendering the app's original check useless.
Admin
Agreed this is silly; but, I would have thought a letsencrypt-style thing could have been done. That waits until your old certs are about to expire and automatically makes some new ones. I probably would have done just what these devs did, but there would be a nice way to distribute new certs automatically.
Admin
"Even in production environments ignoring certs can be the way to go. Once did work for a client and all servers in their DMZ ignored internal certs because company mandated 6 month max-age certs for all servers cause reasons. Obviously that's rather silly in an isolated micro services cluster where you would have to update dozens of instance constantly"
Agreed this is silly; but, I would have thought a letsencrypt-style thing could have been done. That waits until your old certs are about to expire and automatically makes some new ones. I probably would have done just what these devs did, but there would be a nice way to distribute new certs automatically.
Admin
I spent about 5 minutes trying to figure out how to scroll the textbox on the archives page for this post (can't in FF, because the entire thing seems to be one giant link, so scrolling doesn't work)... just so I could finish reading the method signature... before giving up on debugging someone TDWTF and realizing that it just returns true, which is actually visible without scrolling.