8

ServicePointManager.ServerCertificateValidationCallback is a global static property that can be overwritten by any bit of code in your application simply by doing:

ServicePointManager.ServerCertificateValidationCallback
    = (sender, cert, chain, sslPolicyErrors) => true;

Why did they decide to implement it that way? Surely it should be a property on the WebRequest object, and you should have a very good reason for why you are ignoring the certificate.

Frédéric Hamidi
  • 258,201
  • 41
  • 486
  • 479
superlogical
  • 14,332
  • 9
  • 66
  • 76
  • So what you complain about is that this is a static property instead of an instance property making it hard to use different policies in independent parts of the application? – CodesInChaos Jul 11 '12 at 11:53
  • 2
    No it's because any bit of 3rd party code you consume like SDKs etc can go and overwrite your callback with there's. – superlogical Jul 11 '12 at 11:54
  • This doesn't look like an actual question to me. You're just complaining about an unnecessary use of global mutable state. – CodesInChaos Jul 11 '12 at 11:59
  • I'm asking why they decided to implement it like this? Surely it should be a config file setting that no-one but your machine can override??? – superlogical Jul 11 '12 at 12:00
  • Are you claiming this is a security problem(it's not), or just that it's bad design(It probably is)? A config file is just as bad(global and mutable) as the current code. – CodesInChaos Jul 11 '12 at 12:02

1 Answers1

5

Other code being able to set this property is not a security issue, since setting the property requires the SecurityPermissionFlag.Infrastructure permission, which you don't need to grant to code you don't trust.

On the other hand I agree that it's bad design, since it's global mutable state and that should be avoided. In particular it makes it unnecessarily hard to use different validation policies in different parts of the program. A shared config file, as you suggest, would be even worse IMO.

The correct choice would be an instance property for the callback, just like what the plain SslStream class uses. I'm not familiar enough with that part of the framework to say if this property exists, and thus ServicePointManager.ServerCertificateValidationCallback only serves as as a default, or if this global variable is the only way to influence certificate validation.

CodesInChaos
  • 106,488
  • 23
  • 218
  • 262