After several years of procrastination, GVFS finally became a little kinder to the security folks. It now supports verifying certificates when mounting a webdav share. If the certificate is invalid, it presents a dialog to the user displaying some information to let them make a decision about whether to continue or not:
Gcr provides the certificate information.
Secondly, I've added support for FTPS. Secure FTP comes in two forms, implicit and explicit. Implicit is the older form and is where it runs on a separate port and uses SSL from the beginning of the connection. This was never standardized. Explicit uses a STARTTLS mechanism to upgrade the connection from normal to secure. With the GVFS implementation, only the explicit form is implemented, and it uses a different URL scheme (ftps) to clearly differentiate it from standard FTP. When ftps is used, both the control and data connections are secured and must use the same certificate. As with webdav, the certificate is verifed with the option for the user to accept an invalid certificate. This was a seven year old bug that was good to finally close.
posted at: 23:45 | path: /computer | permanent link to this entry