However, this certificate step can be bypassed completely by commenting out this block, and there's no sign to the user that the certificate wasn't provided.
From a security perspective, this is relatively minor, since the privileged commands will all fail due to an invalid certificate, however there's no sign that the cert is missing and the untrusted dialog doesn't show in this scenario, which is different than the behavior in 1.9.
Note, this can also be simulated by giving a bad URL, i.e.
@bberenz thoughts appreciated here...
Currently with the
2.0
branch, the recommended method for setting the certificate is as follows:However, this certificate step can be bypassed completely by commenting out this block, and there's no sign to the user that the certificate wasn't provided.
From a security perspective, this is relatively minor, since the privileged commands will all fail due to an invalid certificate, however there's no sign that the cert is missing and the untrusted dialog doesn't show in this scenario, which is different than the behavior in 1.9.
Note, this can also be simulated by giving a bad URL, i.e.