Mozilla Persona (BrowserID)
[resolved] [Plugin: Mozilla BrowserID] GET vs. POST and SSL-Certificates (10 posts)

  1. marv51
    Posted 4 years ago #

    Hi, awesome plugin!

    I ran into some trouble with one of my websites, because the get request the plugin generates was to long (browserid_assertion.length was > 2000). I solved this by creating a form element in login.js and submitting it. (http://pastebin.com/p50K55cF).

    tiny question:
    In Check_assertion() wouldn't it be better to "get_options" only after "if (isset($_REQUEST['browserid_assertion'])"?

    Something else I think this would be a lot easier to use for many people if you shipped with https certificats. I wanted to use it in a hosting environment, but my host hadn't configured curl for https. So I disabled the verify SSL-certificat option, but this feels insecure to me.
    Maybe the plugin can somehow set CURLOPT_CAINFO somehow and ship with the required files?


  2. marv51
    Posted 4 years ago #

    I found an easy way to solve the SSL-certificat problem:

    add_action('http_api_curl',array(&$this, 'modify_curl'));
    function modify_curl($handle){
    curl_setopt ( $handle , CURLOPT_CAINFO , dirname(__FILE__).'/cacert.pem' );

    And I got the Certificates from here: http://curl.haxx.se/ca/cacert.pem and put it in the browserid directory.

  3. M66B
    Plugin Contributor

    Posted 4 years ago #

    Thank you for your contributions!

    Although I would like to use the post form trick, I am a little bit concerned if it is cross-browser compatible. Do you know if this is the case?

    I will move the get_option.

    The certificate is a good solution too, but I guess it should be dependent of the verification server URL. I am a little bit surprise browserid.org is using a cacert.org certificate. Are you sure about this?

    Too much people using another plugin I wrote, Add Link to Facebook, complain about certificate problems too, so it seems a good idea to me to bundle the Facebook certificate with the plugin. Do you know which certificate Facebook is using or how I can find this out? (https://graph.facebook.com/) A little doubt is that don't want to go managing certificates for others. I think this can even been seen as a security risk.

  4. M66B
    Plugin Contributor

    Posted 4 years ago #

    I have checked for browser compatibility and there should not be a problem with all main browsers, even if they are ancient (you know what I mean ...). So, I have checked in the first two contributions as development version.

  5. M66B
    Plugin Contributor

    Posted 4 years ago #

    I was mistaken to associate cacert.pem with cacert.org. It appears that cacert.pem contains all root certificates. I have added the cURL hook code and the certificate file to the development version too now :-)

  6. marv51
    Posted 4 years ago #

    I don't know a lot about ssl certificates, but it seems(http://curl.haxx.se/ca/) that the .pem file is a convertion of a file firefox uses to authenticate certificates. It is generated weekly. (Maybe some WP_cron magic could update the certificat list? I'll look into this.) CA in this case stands for Certificate authority, I think. As far as I know the file contains all the root certificates Firefox trusts. I will do some reading on this and get back to you. I don't think this file has anything to do with cacert.org.

    I think OpenSSL can validate Facebooks certificate with the cacert.pem file.

    In Firefox: Facebook, right click, Page Info, Security, View Certificate, then Details should give you all the details about what certificat facebook uses. (With the option to export it in .crp format which you could than convert to .pem).

    I think, not verifing a certificate at all is always worse ...

    About the cross browser compatibility issue:
    I tested in IE9, IE10, Safari 5.1, Firefox 11+15a1 and Chrome 18. BrowserID does not work with IE 7 and below. BrowserID doesn't work if I put IE10 in IE8 Mode, fails to connect to the server. I don't have any way to test in a real IE8. But acording to the internet ;-) all the methods should be safe to use in IE8 and up. I cleaned it up a little bit: http://pastebin.com/TDNXciMd

    I will propably be offline tomorrow and during the weekend.

  7. marv51
    Posted 4 years ago #

    Looks like I was too slow here, I had this open for quit some time....

    However please use the JS I posted in my last post it is much nicer and fixes a small style issue.

    I'm so happy some of my code will make it into a plugin :-)

  8. M66B
    Plugin Contributor

    Posted 4 years ago #

    I am glad you are helping to improve the plugin!

    I have checked in your latest changes, with some minor things changed.

  9. marv51
    Posted 4 years ago #

    I have a question:

    You changed
    for (var i = 0, length = fields.length; i < length; i++){
    for (var i = 0; i < fields.length; i++) {

    Is that mainly for readability reasons?

    I think I learnd a couple weeks ago that saving the length before the loop was good for performance? Is that out of date?

    Obviously in this case readability is most important as the array is tiny.

  10. M66B
    Plugin Contributor

    Posted 4 years ago #

    Give that JavaScript engines are very fast nowadays, I prefer readability.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Mozilla Persona (BrowserID)
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic