JagandeepBrar
commented
3 years ago Hey there, thanks for bringing this to my attention.
The reason for originally disabling it at a global level is because there are a decent handful of users who use SSL certificates on their private/LAN network, and having it not disabled globally causes issues with loading images across the entirety of the application, as it uses a global HttpClient that is initialized at launch.
I will however look into a way of adding back a single, global toggle. I do agree that it poses a security risk, but ultimately decided before to remove it after getting enough support messages regarding it.
daverof
In LunaSea 4.1.0 strict TLS/SSL validation was disabled globally with no way to enable it manually. I can now log in to my apps using a self-signed certificate without any warnings.
This is a security issue that makes users vulnerable to man-in-the-middle attacks and similar.
Many users already use Letsencrypt to produce valid certificates for external facing services.
In 2016, Apple made strict validation mandatory for apps so it feels like a backwards step to disable this now!
I realize that it creates more support issues because of badly configured or non-existent certificates, but please consider enabling it again, even if it is not on by default.
Thanks for your great work!