[webkit-dev] About https support of WebKitGTK

[Dan Winship]

On 06/24/2009 04:57 AM, Alfred Peng wrote:
> The latest WebKitGTK 1.1.10 has switched to use libsoup as the default
> backend (The HTTP Authentication dialog looks good BTW). And it
> supports https by default. As I check the WebKitGTK source code,
> WebKitGTK calls soup_session_async_new to create SoupSession. With
> this session, WebKitGTK accepts all SSL certificates automatically
> instead of checking against certain SSL Certificate Authorities. This
> approach looks not so secure, for Epiphany for example.
> 
> Is there any plan to improve this situation in the future development
> (Maybe before GNOME 2.28 release)? Is there any setting to disable
> https support for now like we did for cURL backend?

If you wanted to disable https support, you could add this somewhere:

    g_object_set (webkit_get_default_session (),
                  SOUP_SESSION_SSL_CA_FILE, "/dev/null",
                  NULL);

and that will cause all SSL connections to fail. (Of course, instead of
pointing it to "/dev/null", you could also point it to an x509 file
containing the certs of trusted certificate authorities, in which case
it would accept correctly-named non-expired certificates signed by one
of those CAs, and reject all others.)

There is not currently any way to let the application decide on a
case-by-case basis whether or not to accept a certificate. There's a bug
about it somewhere in bugzilla (bugzilla.gnome.org that is, libsoup
product), but I'm not actively working on it because IMHO letting the
user decide whether or not to accept a certificate is not actually an
"improvement" in terms of either usability or security. YMMV. Patches
accepted. Note also that I'm not an Epiphany or WebKitGTK developer, and
I'm not sure what they think about this (though I've never seen it on
any of the lists of "things we need to get done for Epiphany 2.28").

-- Dan