[Plugin: Mozilla BrowserID] GET vs. POST and SSL-Certificates

I found an easy way to solve the SSL-certificat problem:

add_action('http_api_curl',array(&$this, 'modify_curl'));
function modify_curl($handle){
curl_setopt ( $handle , CURLOPT_CAINFO , dirname(__FILE__).'/cacert.pem' );
}


And I got the Certificates from here: https://curl.haxx.se/ca/cacert.pem and put it in the browserid directory.

Thank you for your contributions!

Although I would like to use the post form trick, I am a little bit concerned if it is cross-browser compatible. Do you know if this is the case?

I will move the get_option.

The certificate is a good solution too, but I guess it should be dependent of the verification server URL. I am a little bit surprise browserid.org is using a cacert.org certificate. Are you sure about this?

Too much people using another plugin I wrote, Add Link to Facebook, complain about certificate problems too, so it seems a good idea to me to bundle the Facebook certificate with the plugin. Do you know which certificate Facebook is using or how I can find this out? (https://graph.facebook.com/) A little doubt is that don’t want to go managing certificates for others. I think this can even been seen as a security risk.

I have checked for browser compatibility and there should not be a problem with all main browsers, even if they are ancient (you know what I mean …). So, I have checked in the first two contributions as development version.

I was mistaken to associate cacert.pem with cacert.org. It appears that cacert.pem contains all root certificates. I have added the cURL hook code and the certificate file to the development version too now ??

I don’t know a lot about ssl certificates, but it seems(https://curl.haxx.se/ca/) that the .pem file is a convertion of a file firefox uses to authenticate certificates. It is generated weekly. (Maybe some WP_cron magic could update the certificat list? I’ll look into this.) CA in this case stands for Certificate authority, I think. As far as I know the file contains all the root certificates Firefox trusts. I will do some reading on this and get back to you. I don’t think this file has anything to do with cacert.org.

I think OpenSSL can validate Facebooks certificate with the cacert.pem file.

In Firefox: Facebook, right click, Page Info, Security, View Certificate, then Details should give you all the details about what certificat facebook uses. (With the option to export it in .crp format which you could than convert to .pem).

I think, not verifing a certificate at all is always worse …

About the cross browser compatibility issue:
I tested in IE9, IE10, Safari 5.1, Firefox 11+15a1 and Chrome 18. BrowserID does not work with IE 7 and below. BrowserID doesn’t work if I put IE10 in IE8 Mode, fails to connect to the server. I don’t have any way to test in a real IE8. But acording to the internet ?? all the methods should be safe to use in IE8 and up. I cleaned it up a little bit: https://pastebin.com/TDNXciMd

I will propably be offline tomorrow and during the weekend.

Looks like I was too slow here, I had this open for quit some time….

However please use the JS I posted in my last post it is much nicer and fixes a small style issue.

I’m so happy some of my code will make it into a plugin ??

I am glad you are helping to improve the plugin!

I have checked in your latest changes, with some minor things changed.

I have a question:

You changed
for (var i = 0, length = fields.length; i < length; i++){
to
for (var i = 0; i < fields.length; i++) {

Is that mainly for readability reasons?

I think I learnd a couple weeks ago that saving the length before the loop was good for performance? Is that out of date?

Obviously in this case readability is most important as the array is tiny.

Give that JavaScript engines are very fast nowadays, I prefer readability.