Welcome Guest! To enable all features please Login or Register.

Notification

Icon
Error
Why no *Programmatic* SSL/HTTPS endpoint registration in UWS?
Options
Previous Topic Next Topic
Ultidev Team
#1 Posted : Wednesday, July 3, 2013 10:59:50 AM(UTC)
Ultidev Team

Groups: Administration
Joined: 11/3/2005(UTC)
Posts: 2,253

Thanks: 28 times
Was thanked: 60 time(s) in 59 post(s)
UWS has very powerful interactive SSL endpoint & certificate management functionality. This leads to a question often asked by web app developers: Is it be possible to register an SSL/HTTPS endpoint programmaticaly, when a redistributable web app gets registered with UWS during app installation?

The answer is, unfortunately, no, and the reason in the nutshell is that allowing it would violate sound security practices.

Here's the more nuanced explanation of why redistributable web app cannot have SSL out of the box. Most people can appreciate the importance of encryption of the wire traffic that SSL provides. However, most folks, including many software engineers, fail to realize that encryption is meaningless if one can't be sure who's on the other side of the wire. The assurance of the identity of the web server in SSL protocol comes from Certificate Authorities' practices that verify identity of the certificate holder. If a redistributable application was to register an SSL endpoind for itself, it would also have to provide certificate. Since redistributable application has no way of verifying server's identity, it would have to either create a self-signed certificate, or install same (possibly publicly-trusted) certificate on every box where it's installed. In both case server identity cannot be verified by the application when certificate is installed, meaning that clients would have encryption without server identity assurance, and this is a bad practice we cannot facilitate.

We do, however, allow end users to use these bad practices themselves, explicitly, via UWS cert management UI. When they do it, they do it at their own risk and it's their responsibility. However, an application installer doing it automatically may lead end users (who don't normally know what makes SSL secure) think that application is SSL-secure, when in fact it isn't. This is a legal liability for web application vendors, and it's also something that could make anti-virus makes black-list our web server as malware.

The bottom line is that if you realize that encryption is moot without server identity assurance, you will realize that apps lacking means to verify target system's server identity cannot possibly be secure even with SSL, and therefore should not be presented as such.

As a work-around, we have created a detailed walk-through of how to get publicly-trusted server certificate. If you are an application developer, please feel free to refer your customers who require SSL to this page.

Best regards,
UltiDev Team.
Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Back to top
WWW
 |  Edit by user
Guest
#2 Posted : Monday, January 8, 2018 8:40:09 PM(UTC)
Groups:

Message was deleted by a Moderator.
Back to top
| Reason
Guest
#3 Posted : Friday, March 30, 2018 9:02:47 PM(UTC)
Groups:

Message was deleted by a Moderator.
Back to top
| Reason
Guest
#4 Posted : Thursday, June 14, 2018 8:14:42 PM(UTC)
Groups:

Message was deleted by a Moderator.
Back to top
| Reason
Rss Feed  Atom Feed
Users browsing this topic
Guest
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You can vote in polls in this forum.

Powered by YAF 1.9.5.5 | YAF © 2003-2011, Yet Another Forum.NET