If you leave it how it is you might as well not be using HTTPS at all as practically any idiotic attack will work (DNS poisoning, arp spoofing, any other man-in-the-middle affair) … lucky i spotted this one before we added the payment features eh
Indeed on Window platform their is some security issue,
to fix that, in juce_win32_Network.cpp
Remove or comment the SECURITY_SET_MASK flags in the WebInputStream::Pimpl::openHTTPConnection() method
and comment all the content of WebInputStream::Pimpl::setSecurityFlags() method.
That’s exactly what I’ve done as well. Looks a lot better. Not sure what setSecurityFlags was supposed to be doing but it would have been better titled setNoSecurityAtAll().
Looks like this was a workaround for an old Windows networking bug but removing all the SECURITY_SET_MASK flags seems to work OK and properly enables HTTPS features. This change will be on develop shortly.
You also disable the requirement to use trusted CAs in setSecurityFlags. I don’t think you need that setSecurityFlags function at all.
PS. Thanks for looking at this properly. You should add a note that this is a breaking (although critical for security) change. Anyone who was relying on the previous behaviour may want to check their app’s network connectivity. It shouldn’t be a big deal for anyone doing cross-platform work though as the behaviour was more sane on the Mac anyway…
Yeah I removed the setSecurityFlags() method completely. Good point about about notifying people about the change, I’ll add an entry to the breaking changes document…