Re: Determining SSL Authenticity - Part III
Dave Cragg wrote: If you're on OS X, you might try this. But be warned! I don't really know what I'm doing. :-) Alas, I am not on Mac OS X. Hopefully within the next few months I'll have one, but not yet. But all of this is helping me understand what needs to happen. Thanks! Derek Bump Dreamscape Software www.dreamscapesoftware.com ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution
Re: Determining SSL Authenticity - Part III
On 3 Jan 2007, at 19:47, Mark Smith wrote: The one I've been using with https connections (again on OS X) is : /usr/share/curl/curl-ca-bundle.crt which seems to work. It works here too. Thanks for the info. Curl again Dave, sorry :) No problem. Looking through the Keychain-exported and Curl certificates, I see they share a core of what I guess are the mainstream certificates (Thwaite, etc.), but both have various other stuff. The Curl file says it comes directly from Netscape, which makes me think it's probably good. I've no idea how the certificates get into Apple's Keychain. Did Apple put them all there, or did I OK various messages at times and allow some of them to get there? But I notice the Keychain set includes some US DoD cerificates which I don't see in the Curl file. Should I feel more secure? :-) Cheers Dave ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution
Re: Determining SSL Authenticity - Part III
The one I've been using with https connections (again on OS X) is : /usr/share/curl/curl-ca-bundle.crt which seems to work. Curl again Dave, sorry :) Mark On 3 Jan 2007, at 17:42, Dave Cragg wrote: If you're on OS X, you might try this. But be warned! I don't really know what I'm doing. :-) I opened Apple's Keychain app and selected the X509Anchors item. This will list a large number of what I think are Certificate Authority root certificates. I selected all, and from the File menu selected Export I chose the Privacy Enhanced Mail (.pem) option and saved the file as "root.pem". In Rev, I set the sslcertificates property to this file. I then tried three https URLs and they all worked. (Clearly a sign of a good year ahead.) My concern is that I selected all the certificates listed in Keychain. I'm not sure if that was wise. Does anyone know? Cheers Dave ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution
Re: Determining SSL Authenticity - Part III
On 3 Jan 2007, at 17:25, Dave Cragg wrote: I always forget that part. :-) Once upon a time, there was a ".pem" file that was distributed with Rev (perhaps only distributed in an alpha/beta version when secure sockets were first introduced). Setting the sslcertificates property to this file would allow Rev to handle the certificate authentication. I can't find that file on the machine I'm at at the moment, but I seem to remember it no longer worked when I last tried it. But you may be able to find a suitable file somewhere that can be used. Perhaps someone else can help. If you're on OS X, you might try this. But be warned! I don't really know what I'm doing. :-) I opened Apple's Keychain app and selected the X509Anchors item. This will list a large number of what I think are Certificate Authority root certificates. I selected all, and from the File menu selected Export I chose the Privacy Enhanced Mail (.pem) option and saved the file as "root.pem". In Rev, I set the sslcertificates property to this file. I then tried three https URLs and they all worked. (Clearly a sign of a good year ahead.) My concern is that I selected all the certificates listed in Keychain. I'm not sure if that was wise. Does anyone know? Cheers Dave ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution
Re: Determining SSL Authenticity - Part III
On 3 Jan 2007, at 16:50, Derek Bump wrote: 1. Internet Explorer comes preloaded with Certificates. 2. Runtime Revolution does not come preloaded with Certificates. On this basis, if I utilize the following command... open secure socket to "whatever.com" with message "openedOK" ... Revolution will return back some sort of error because Revolution cannot access the Certificates that are pre-installed with Internet Explorer, I always forget that part. :-) Once upon a time, there was a ".pem" file that was distributed with Rev (perhaps only distributed in an alpha/beta version when secure sockets were first introduced). Setting the sslcertificates property to this file would allow Rev to handle the certificate authentication. I can't find that file on the machine I'm at at the moment, but I seem to remember it no longer worked when I last tried it. But you may be able to find a suitable file somewhere that can be used. Perhaps someone else can help. meanwhile IE will validate the certificate and return an "OK" result (provided it is OK). On the other hand, if IE encounters a bad or unknown certificate, then some sort of error message will come up anyways. IE will automatically take care of the issue and lead the user where they need to go. A reasonable assumption, I think. Cheers Dave ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution
Re: Determining SSL Authenticity - Part III
Thank you Andre, Luis and Dave for your incite, references and suggestions. It looks like I'll be spending the next few days parsing certificates. Something did just occur to me after reading a little... (if I'm wrong in my assumptions then please correct me) 1. Internet Explorer comes preloaded with Certificates. 2. Runtime Revolution does not come preloaded with Certificates. On this basis, if I utilize the following command... open secure socket to "whatever.com" with message "openedOK" ... Revolution will return back some sort of error because Revolution cannot access the Certificates that are pre-installed with Internet Explorer, meanwhile IE will validate the certificate and return an "OK" result (provided it is OK). On the other hand, if IE encounters a bad or unknown certificate, then some sort of error message will come up anyways. IE will automatically take care of the issue and lead the user where they need to go. Would I really be in the wrong if I displayed a lock icon anyways, considering IE's doing all the work? Remember, you can view a page's certificate information in altBrowser by right-clicking it and choosing "Properties" and then clicking "Certificates" (and the properties show's the encryption information anyways). Derek Bump Dreamscape Software www.dreamscapesoftware.com Luis wrote: Can't have too much information: http://www.ourshop.com/resources/ssl.html Cheers, Luis. Luis wrote: Re-resding your post: I think I've found something closer to your request. http://articles.techrepublic.com.com/5100-1009-6055958.html http://articles.techrepublic.com.com/5100-6350_11-5287634.html Code signing process: http://www.instantssl.com/code-signing/code-signing-process.html?currency=GBP®ion=United+Kingdom&country=GB&entryURL=http%3A//www.instantssl.com/code-signing/&referrerURL=http%3A//www.hackerguardian.com/help/glossary.html Cheers, Luis. Luis wrote: Hiya, You can request a certificate from the server and parse the results. A sample of a certificate (current X.509 standard) is here: http://en.wikipedia.org/wiki/X.509 Other than that you can probably obtain the appropriate documentation from Certificate providers like Verisign and Thawte. Note that most browsers come with root certificates pre-installed from the major vendors (more info here: http://en.wikipedia.org/wiki/Root_certificate) and they can be used to validate some certificates. Some companies generate their own certificates: In this instance you'd have to make sure a trust is established on which you can then base your checking. Cheers, Luis. Derek Bump wrote: Andre, Thank you so much for your response. I'm afraid I was a little unclear as to my intentions. I am implementing altBrowser into one of my projects, and unfortunately, altBrowser does not return whether IE knows if the server is secure. I'm looking for a way of determining this within Revolution so I can display that on the screen. I just looked over the built-in documentation for SSL and couldn't find much other than the encrypt and decrypt functions. I need a way to determine if the url that altBrowser is looking at is actually secure. Any ideas? :) Derek Bump Dreamscape Software www.dreamscapesoftware.com Andre Garzia wrote: Derek, if the certificate is not valid, the SSL library will return you an error. Actually, in some cases, it returns an error even for valid certificates... I don't know if you can find the certificate information from inside Rev, if you are using MacOS X then you can use cURL or some other unixland tool to query the certificate data but I never tried that. Andre PS: I simply feel like answering emails today... :-) On Jan 3, 2007, at 1:08 AM, Derek Bump wrote: Does anyone know how to determine SSL authenticity. For example, if I'm connected to "https://www.somedomain.com/securepage.php";, other than the "s" after http, how can I find out the certificate information? Or do I just trust the fact that since the "s" is after "http" that it's secure? Derek Bump Dreamscape Software www.dreamscapesoftware.com ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mail
Re: Determining SSL Authenticity
On 3 Jan 2007, at 04:11, Derek Bump wrote: Andre, Thank you so much for your response. I'm afraid I was a little unclear as to my intentions. I am implementing altBrowser into one of my projects, and unfortunately, altBrowser does not return whether IE knows if the server is secure. I'm looking for a way of determining this within Revolution so I can display that on the screen. I don't know much about the workings of altBrowser, but one possible (and clunky) way would be to check the url from Rev first before having altBrowser display the page. put "https://whatever.com/path"; into tTestUrl get url tTestUrl if the result <> empty then ## no good else ## OK so ask altBrowser to display the url end if Or, probably quicker, use the "open secure socket" command to just the server: open secure socket to "whatever.com" with message "openedOK" on openedOK pSocket close socket pSocket ## ask altBroswer to display the url end openedOK on socketError pSocket, pErrString ## no good end socketError One problem is that a failure to get the url or open the socket doesn't necessarily mean the certificate is not secure. You'd have to examine either "the result" from the url call, or pErrString in the socketError handler to be sure. I haven't tried either approach, so be sure to confirm that they do what you want before trusting in them. Cheers Dave ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution
Re: Determining SSL Authenticity - Part III
Can't have too much information: http://www.ourshop.com/resources/ssl.html Cheers, Luis. Luis wrote: Re-resding your post: I think I've found something closer to your request. http://articles.techrepublic.com.com/5100-1009-6055958.html http://articles.techrepublic.com.com/5100-6350_11-5287634.html Code signing process: http://www.instantssl.com/code-signing/code-signing-process.html?currency=GBP®ion=United+Kingdom&country=GB&entryURL=http%3A//www.instantssl.com/code-signing/&referrerURL=http%3A//www.hackerguardian.com/help/glossary.html Cheers, Luis. Luis wrote: Hiya, You can request a certificate from the server and parse the results. A sample of a certificate (current X.509 standard) is here: http://en.wikipedia.org/wiki/X.509 Other than that you can probably obtain the appropriate documentation from Certificate providers like Verisign and Thawte. Note that most browsers come with root certificates pre-installed from the major vendors (more info here: http://en.wikipedia.org/wiki/Root_certificate) and they can be used to validate some certificates. Some companies generate their own certificates: In this instance you'd have to make sure a trust is established on which you can then base your checking. Cheers, Luis. Derek Bump wrote: Andre, Thank you so much for your response. I'm afraid I was a little unclear as to my intentions. I am implementing altBrowser into one of my projects, and unfortunately, altBrowser does not return whether IE knows if the server is secure. I'm looking for a way of determining this within Revolution so I can display that on the screen. I just looked over the built-in documentation for SSL and couldn't find much other than the encrypt and decrypt functions. I need a way to determine if the url that altBrowser is looking at is actually secure. Any ideas? :) Derek Bump Dreamscape Software www.dreamscapesoftware.com Andre Garzia wrote: Derek, if the certificate is not valid, the SSL library will return you an error. Actually, in some cases, it returns an error even for valid certificates... I don't know if you can find the certificate information from inside Rev, if you are using MacOS X then you can use cURL or some other unixland tool to query the certificate data but I never tried that. Andre PS: I simply feel like answering emails today... :-) On Jan 3, 2007, at 1:08 AM, Derek Bump wrote: Does anyone know how to determine SSL authenticity. For example, if I'm connected to "https://www.somedomain.com/securepage.php";, other than the "s" after http, how can I find out the certificate information? Or do I just trust the fact that since the "s" is after "http" that it's secure? Derek Bump Dreamscape Software www.dreamscapesoftware.com ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution
Re: Determining SSL Authenticity - Part II
Re-resding your post: I think I've found something closer to your request. http://articles.techrepublic.com.com/5100-1009-6055958.html http://articles.techrepublic.com.com/5100-6350_11-5287634.html Code signing process: http://www.instantssl.com/code-signing/code-signing-process.html?currency=GBP®ion=United+Kingdom&country=GB&entryURL=http%3A//www.instantssl.com/code-signing/&referrerURL=http%3A//www.hackerguardian.com/help/glossary.html Cheers, Luis. Luis wrote: Hiya, You can request a certificate from the server and parse the results. A sample of a certificate (current X.509 standard) is here: http://en.wikipedia.org/wiki/X.509 Other than that you can probably obtain the appropriate documentation from Certificate providers like Verisign and Thawte. Note that most browsers come with root certificates pre-installed from the major vendors (more info here: http://en.wikipedia.org/wiki/Root_certificate) and they can be used to validate some certificates. Some companies generate their own certificates: In this instance you'd have to make sure a trust is established on which you can then base your checking. Cheers, Luis. Derek Bump wrote: Andre, Thank you so much for your response. I'm afraid I was a little unclear as to my intentions. I am implementing altBrowser into one of my projects, and unfortunately, altBrowser does not return whether IE knows if the server is secure. I'm looking for a way of determining this within Revolution so I can display that on the screen. I just looked over the built-in documentation for SSL and couldn't find much other than the encrypt and decrypt functions. I need a way to determine if the url that altBrowser is looking at is actually secure. Any ideas? :) Derek Bump Dreamscape Software www.dreamscapesoftware.com Andre Garzia wrote: Derek, if the certificate is not valid, the SSL library will return you an error. Actually, in some cases, it returns an error even for valid certificates... I don't know if you can find the certificate information from inside Rev, if you are using MacOS X then you can use cURL or some other unixland tool to query the certificate data but I never tried that. Andre PS: I simply feel like answering emails today... :-) On Jan 3, 2007, at 1:08 AM, Derek Bump wrote: Does anyone know how to determine SSL authenticity. For example, if I'm connected to "https://www.somedomain.com/securepage.php";, other than the "s" after http, how can I find out the certificate information? Or do I just trust the fact that since the "s" is after "http" that it's secure? Derek Bump Dreamscape Software www.dreamscapesoftware.com ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution
Re: Determining SSL Authenticity
Hiya, You can request a certificate from the server and parse the results. A sample of a certificate (current X.509 standard) is here: http://en.wikipedia.org/wiki/X.509 Other than that you can probably obtain the appropriate documentation from Certificate providers like Verisign and Thawte. Note that most browsers come with root certificates pre-installed from the major vendors (more info here: http://en.wikipedia.org/wiki/Root_certificate) and they can be used to validate some certificates. Some companies generate their own certificates: In this instance you'd have to make sure a trust is established on which you can then base your checking. Cheers, Luis. Derek Bump wrote: Andre, Thank you so much for your response. I'm afraid I was a little unclear as to my intentions. I am implementing altBrowser into one of my projects, and unfortunately, altBrowser does not return whether IE knows if the server is secure. I'm looking for a way of determining this within Revolution so I can display that on the screen. I just looked over the built-in documentation for SSL and couldn't find much other than the encrypt and decrypt functions. I need a way to determine if the url that altBrowser is looking at is actually secure. Any ideas? :) Derek Bump Dreamscape Software www.dreamscapesoftware.com Andre Garzia wrote: Derek, if the certificate is not valid, the SSL library will return you an error. Actually, in some cases, it returns an error even for valid certificates... I don't know if you can find the certificate information from inside Rev, if you are using MacOS X then you can use cURL or some other unixland tool to query the certificate data but I never tried that. Andre PS: I simply feel like answering emails today... :-) On Jan 3, 2007, at 1:08 AM, Derek Bump wrote: Does anyone know how to determine SSL authenticity. For example, if I'm connected to "https://www.somedomain.com/securepage.php";, other than the "s" after http, how can I find out the certificate information? Or do I just trust the fact that since the "s" is after "http" that it's secure? Derek Bump Dreamscape Software www.dreamscapesoftware.com ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution
Re: Determining SSL Authenticity
Andre, Thank you so much for your response. I'm afraid I was a little unclear as to my intentions. I am implementing altBrowser into one of my projects, and unfortunately, altBrowser does not return whether IE knows if the server is secure. I'm looking for a way of determining this within Revolution so I can display that on the screen. I just looked over the built-in documentation for SSL and couldn't find much other than the encrypt and decrypt functions. I need a way to determine if the url that altBrowser is looking at is actually secure. Any ideas? :) Derek Bump Dreamscape Software www.dreamscapesoftware.com Andre Garzia wrote: Derek, if the certificate is not valid, the SSL library will return you an error. Actually, in some cases, it returns an error even for valid certificates... I don't know if you can find the certificate information from inside Rev, if you are using MacOS X then you can use cURL or some other unixland tool to query the certificate data but I never tried that. Andre PS: I simply feel like answering emails today... :-) On Jan 3, 2007, at 1:08 AM, Derek Bump wrote: Does anyone know how to determine SSL authenticity. For example, if I'm connected to "https://www.somedomain.com/securepage.php";, other than the "s" after http, how can I find out the certificate information? Or do I just trust the fact that since the "s" is after "http" that it's secure? Derek Bump Dreamscape Software www.dreamscapesoftware.com ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution
Re: Determining SSL Authenticity
Derek, if the certificate is not valid, the SSL library will return you an error. Actually, in some cases, it returns an error even for valid certificates... I don't know if you can find the certificate information from inside Rev, if you are using MacOS X then you can use cURL or some other unixland tool to query the certificate data but I never tried that. Andre PS: I simply feel like answering emails today... :-) On Jan 3, 2007, at 1:08 AM, Derek Bump wrote: Does anyone know how to determine SSL authenticity. For example, if I'm connected to "https://www.somedomain.com/securepage.php";, other than the "s" after http, how can I find out the certificate information? Or do I just trust the fact that since the "s" is after "http" that it's secure? Derek Bump Dreamscape Software www.dreamscapesoftware.com ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution
Determining SSL Authenticity
Does anyone know how to determine SSL authenticity. For example, if I'm connected to "https://www.somedomain.com/securepage.php";, other than the "s" after http, how can I find out the certificate information? Or do I just trust the fact that since the "s" is after "http" that it's secure? Derek Bump Dreamscape Software www.dreamscapesoftware.com ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution