HTTPS security features are entirely disabled in juce_win32_network.cpp


#1

So JUCE supports HTTPS under windows but appears to then disable all the security features, almost entirely missing the point of HTTPS.

You’ve got two uses of SECURITY_SET_FLAGS in there. If you remove them then the correct behaviour occurs:

If you leave it how it is you might as well not be using HTTPS at all as practically any idiotic attack will work (DNS poisoning, arp spoofing, any other man-in-the-middle affair) … lucky i spotted this one before we added the payment features eh :wink:


#2

Indeed on Window platform their is some security issue,
to fix that, in juce_win32_Network.cpp

Remove or comment the SECURITY_SET_MASK flags in the WebInputStream::Pimpl::openHTTPConnection() method
and comment all the content of WebInputStream::Pimpl::setSecurityFlags() method.

I’ve tested it with
https://badssl.com/ and
https://revoked.grc.com/

And this fix the issue,

Hope this can helps


#3

That’s exactly what I’ve done as well. Looks a lot better. Not sure what setSecurityFlags was supposed to be doing but it would have been better titled setNoSecurityAtAll().


#4

Looks like this was a workaround for an old Windows networking bug but removing all the SECURITY_SET_MASK flags seems to work OK and properly enables HTTPS features. This change will be on develop shortly.


#5

You also disable the requirement to use trusted CAs in setSecurityFlags. I don’t think you need that setSecurityFlags function at all.

PS. Thanks for looking at this properly. You should add a note that this is a breaking (although critical for security) change. Anyone who was relying on the previous behaviour may want to check their app’s network connectivity. It shouldn’t be a big deal for anyone doing cross-platform work though as the behaviour was more sane on the Mac anyway…


#6

Yeah I removed the setSecurityFlags() method completely. Good point about about notifying people about the change, I’ll add an entry to the breaking changes document…


#7

Good stuff. Problem closed.