Strange bug when trying to open a link with `http_open/3` and `cert_accept_any/5` about swipl-devel HOT 8 CLOSED

I've only been able to reproduce this problem with this query on this particular link.

from swipl-devel.

trivia just for fun - the Plumber's Friend advertised on the page is Annie's work. The site is a marketplace for virtual goods inside Second Life, and doesn't share tech stack with SL itself. The startup was bought out by Linden Labs.

from swipl-devel.

I would advise against any verification of this issue, given that the opening of the "pipe" allows the receipt of unverified certificates.

Remediation is suggested by disallowing a certificate to install without first being verified by either a check with a CA (certificate authority) or an MD5 or SHA1 hash.

from swipl-devel.

Did a little check. The URL results in a redirection loop. The recent rewrites to library(http/http_open) have broken the redirection loop detection. This is now fixed (SWI-Prolog/packages-http@401d47f). The redirect is the result of redirecting to the same location after setting a cookie. By default, http_open/3 does not perform cookie handling. After loading library(http/http_cookie), the URL opens fine.

@FunctionAnalysis: little clue what you mean. This has nothing to do with certificates. The cert_accept_any simply tells the SSL layer to ignore failed certificate validation, something which is pretty useful if you want to access HTTPS sites while you do not care about security issues.

from swipl-devel.

I understand that it accepts any cert, and understand that this makes connections easier. It also increases risk in terms of security, and not caring about security issues is a cause for just as much concern as accepting any ssl cert.

The SHA1 and MD5 are digital signature algorithms to either verify or reject a certificate, as is done with any symmetric based, handshake method used by SSL.

https://www.openssl.org/docs/manmaster/crypto/md5.html

https://ssltest39.ssl.symclab.com/

https://support.microsoft.com/en-us/kb/889768

SSL certificate validation should never be ignored, in my humble opinion.

The MD5 checksum is used to validate software itself, while the SHA1 (which has really, mostly been retired for SHA2) tests the security of SSL.

from swipl-devel.

I understand that. That is why the default is to do the checking. We have to live with the current development that more and more sites use HTTPS while not providing proper certificates and the client doesn't care much about SSL as there is no security risk for the client involved. That is why, e.g., curl has a --insecure option and http_open/3 has a cert_accept_any check.

from swipl-devel.

@JanWielemaker , Thank you for looking into this.

from swipl-devel.

I offer to review this further, and see if general ssl adjustments would help SWIPL.

On Dec 22, 2015, at 1:34 PM, Jan Wielemaker [email protected] wrote:

I understand that. That is why the default is to do the checking. We have to live with the current development that more and more sites use HTTPS while not providing proper certificates and the client doesn't care much about SSL as there is no security risk for the client involved. That is why, e.g., curl has a --insecure option and http_open/3 has a cert_accept_any check.

—
Reply to this email directly or view it on GitHub.

from swipl-devel.