3

Few years ago I wrote a Delphi app which opens an intranet site in TWebBrowser. The app works fine on Windows XP SP3, but on Windows 7, TWebBrowser shows the IE8-style red certificate error page. Moreover, clicking on "Continue to this website" doesn't open the page. Interestingly, when I open the page either in IE8 on Windows XP, or in IE9 on Windows 7, it opens successfully, and the browsers report no certificate error.

Is it possible to configure TWebBrowser or the application or Windows itself in a way which eliminates the certificate error page?

I've tried to run the app in admin mode, with and without Windows XP compatibility mode. I've installed the certificate of the page into every reasonable cert store. I played with the security settings of IE, and the Internet Explorer FeatureControl settings in the registry. None of these helped.

kol
  • 27,881
  • 12
  • 83
  • 120

1 Answers1

4

(I rewrote my answer after David Heffernan's comments.)

1. Workaround

Turning off "Check for server certificate revocation" in "Internet Options\Advanced\Security" eliminated the certificate error page in TWebBrowser. Note that turning off revocation checking opens a security hole (thanks to David Heffernan for emphasizing this in his comments).

Certificate Revocation Checkbox

2. Difference between Windows XP and 7

The different behavior was due to that this option is turned off on Windows XP by default, but on Windows 7 it's turned on. It's strange that this security setting is handled differently on different OS versions. Windows XP should have been patched to turn this setting on by default.

3. The problem with the certificate

When revocation checking is turned on, IE reports that there is no problem with the site's certificate and every certificate in the certificate chain is OK. This is misleading, because if the Internet Explorer Feature Control FEATURE_WARN_ON_SEC_CERT_REV_FAILED is also turned on, IE displays a Certificate Warning which says "Internet Explorer was unable to contact the issuer to ensure the certificate has not been revoked".

Certificate Issuer Unreachable

4. The effect of Silent Mode

When revocation checking is turned on, and the issuer cannot be contacted, TWebBrowser shows a Security Alert popup with the text "Revocation information for the security certificate for this site is not available. Do you want to proceed?" Unfortunately, when the TWebBrowser.Silent property is True, the prompt is suppressed and "No" is automatically chosen. In my case, Silent Mode was turned on because I wanted to hide the JavaScript errors of the page, so TWebBrowser jumped directly to the certificate error page, and didn't let me proceed.

Revocation Information Unavailable

5. The solution

The security hole can be avoided by enabling the revocation check, but in this case TWebBrowser.Silent must be False, and the user will have to close every popup manually (on the above Security Alert popup "Yes" must be clicked). Since my app uses the site automatically (based on code written in PascalScript), it has to close every popup itself (this feature has already been implemented for Confirm popups).

kol
  • 27,881
  • 12
  • 83
  • 120
  • That doesn't really sound like a solution. – David Heffernan Feb 13 '14 at 22:55
  • @DavidHeffernan That's why I used the double quotes. There is no problem with the certificate of the site, it's not been revoked. In spite of this, turning off revocation check works. – kol Feb 14 '14 at 07:19
  • You've not solved anything. You don't understand what is going on. You've just buried your head in the sand. Now when you load pages with revoked certs, you'll never find out about it. Your *solution* is akin to disabling your virus scanner because it happened to report one false positive. – David Heffernan Feb 14 '14 at 07:22
  • @DavidHeffernan OK, I replaced the word "solution" with "workaround". I agree this workaround is not a solution, but it works, so I can use it until I understand what's happening. I asked the question because I hope that experts will come up with a real solution eventually, but in the meantime I must do something with the problem. I'm sure you understand the situation. – kol Feb 14 '14 at 07:36
  • It doesn't really work. It's not a workaround. What you've done is opened a security hole. – David Heffernan Feb 14 '14 at 07:38
  • @DavidHeffernan I figured out what happened and rewrote my answer. Thanks for your comments! – kol Feb 14 '14 at 11:01
  • I wonder if we have the same problem with TChromium? I am migrating all my TWebbrowser based apps to TChromium due to this sort of limitations. Sadly there are still webapps out there that only support IE :( – whosrdaddy Feb 14 '14 at 12:04