Alfred Peng wrote: > Hi Mark, > > Thanks for pointing this out. > > The consumers of libsoup can point a file containing certificates for > recognized SSL Certificate Authorities. HTTPS connections will be > checked against these authorities, and rejected if they can't be > verified > (http://library.gnome.org/devel/libsoup/stable/libsoup-client-howto.html). > On the WebKit side, it doesn't set any authorities and accepts all SSL > certificates automatically. > > This could be a RFE for WebKit so that consumers of WebKit can pass the > certificate for verification. > Seems like we went from the prior WebKit (2008/782) requiring an override to accept all SSL to having that behavior by default.
As in the original case (2008/782), this certainly seems appropriate for a documentation admonishment. I'd say that'd be quite a violation of user expectation to silently, by default, accept all certificates. I believe the stakes are raised, so I'm not sure if the "NOTES" section is the right place for this as it was in the last case. Before, risky behavior was only available with an override to the it-doesnt-work-at-all behavior. Now, it's the default. I don't know what the answer is, though, if it's not NOTES. "Beware, all ye consumers of WebKit: unless you pass a certificate for validation, SSL certificate validation is not enforced, and all certificates are considered valid, including those that really aren't.". As for an RFE, could you clarify a little on that? An RFE to enable users to pass the certificate in the first place? It's not even available as delivered here?
