0

This is possibly a duplicate of this and this. But they are from 2014, does this still apply for 2016 ?

I am developing a very simple extension that connects to a webDAV server (Synology NAS). I am using the famous XMLHttpRequest with Basic autenthication (base64 encode) and SSL (HTTPS). Everything is working fine, but my server has a self-signed certificate. I assume this will be the default configuration for most users that buy this kind of "servers". When you connect with Chrome there is an inbetween warning page that lets you manually accept the connection, even if it is considered insecure.

Now, I've been digging alot through the documentation and, maybe I am not very skilled, but I can't find an answer to some questions on the topic.

  1. The connection is still encrypted ? The certificate is the one not trusted here right ? "ERR_INSECURE_RESPONSE" is kind of misleading ?
  2. Does the API provide a way to handle this situation ? Can I call that inbetween page or show that "Yes continue anyway link?" to allow the user force and accept the certificate ? Then I assume this will happen everytime the browser is restarted ?

Thanks.

Matti Virkkunen
  • 63,558
  • 9
  • 127
  • 159
enr00ted
  • 1
  • 2
  • 1
    The connection is still encrypted, but because an invalid certificate means the other end has not been securely identified as being who they claim to be, it might as well be a man-in-the-middle attack. Hence it's insecure. The actual correct way to deal with this is to install the certificate as trusted on the computer (after verifying the cert offered by the device is not too insecure to use in the first place) – Matti Virkkunen Apr 24 '16 at 21:52
  • @MattiVirkkunen thank you for your explanations. – enr00ted Apr 25 '16 at 09:16

0 Answers0