The following security considerations apply to applications that use WinHTTP:
Ser ver cer tificates are only verified once per session.Ser ver cer tificates are only verified once per session. After a certificate has been verified, it remains
valid for the duration of the current session. As long as the certificate fingerprint matches, which indicates
that the certificate has not changed, the certificate continues to be re-validated. As a result, any change in the
validation criteria, through the protocol, revocation-check, or certificate-error-ignore flags, does not take
effect once the certificate is verified. To force such a change to take effect immediately, the current session
must be ended and a new one started. Similarly, expiration of a certificate during the course of a session can
only be detected if the application itself checks the certificate server periodically to retrieve expiration data.
Auto-proxy involves downloading and executing scripts.Auto-proxy involves downloading and executing scripts. The automatic proxy discovery support
involves detecting through DHCP or DNS, downloading, and executing proxy scripts such as Java scripts. To
achieve a higher degree of security, an application must avoid passing the
WINHTTP_AUTOPROXY_RUN_INPROCESSWINHTTP_AUTOPROXY_RUN_INPROCESS flag, so that the auto-proxy discovery is initiated out-of-
process. Even then, WinHTTP tries by default to run an auto-proxy script in-process if the script fails to run
properly out-of-process. If you believe that this fallback behavior poses an unacceptable risk, disable the
fallback behavior with the WINHTTP_AUTOPROXY_RUN_OUTPROCESS_ONLYWINHTTP_AUTOPROXY_RUN_OUTPROCESS_ONLY flag.
WINHTTP_STATUS_CALLBACK functions must return promptly.WINHTTP_STATUS_CALLBACK functions must return promptly. When you write one of these callback
functions, be careful that it does not block. For example, neither the callback nor any function it calls should
display a user dialog or wait for an event. If a
WINHTTP_STATUS_CALLBACK
function does block, it affects
WinHTTP's internal scheduling and causes other requests within the same process to be denied service.
WINHTTP_STATUS_CALLBACK functions must be reentrant.WINHTTP_STATUS_CALLBACK functions must be reentrant. When writing a callback, avoid static
variables or other constructs that are unsafe under reentrance, and avoid calling other functions that are not
reentrant.
If asynchronous operation is possible, pass NULLs for OUT parameters.If asynchronous operation is possible, pass NULLs for OUT parameters. If you have enabled
asynchronous operation by registering a callback function, always pass NULLNULL values for such OUT
parameters as
lpdwDataAvailable
for WinHttpQuer yDataAvailableWinHttpQuer yDataAvailable,
lpdwBytesRead
for
WinHttpReadDataWinHttpReadData, or
lpdwBytesWritten
for WinHttpWriteDataWinHttpWriteData. Under some circumstances, the calling
thread is terminated before the operation completes, and if the OUT parameters are not NULLNULL, the function
can end up writing to memory that has already been freed.
Passpor t authentication is not foolproof.Passpor t authentication is not foolproof. Any cookie-based authentication scheme is vulnerable to
attack. Passport version 1.4 is cookie based, and therefore subject to the vulnerabilities that are associated
with any cookie or form-based authentication scheme. Passport support is disabled by default in WinHTTP; it
can be enabled using WinHttpSetOptionWinHttpSetOption.
Basic authentication should only be used over a secure connection.Basic authentication should only be used over a secure connection. Basic authentication, which
sends the user name and password in clear text (see RFC 2617), should be used only over encrypted SSL or
TLS connections.
Setting Auto-Logon Policy to "low" can pose a risk .Setting Auto-Logon Policy to "low" can pose a risk . When the Auto-Logon Policy is set to low, a user's
logon credential can be used to authenticate against any site. However, it is not good security practice to
authenticate against sites you do not trust.
SSL 2.0 connections are not used unless explicitly enabled.SSL 2.0 connections are not used unless explicitly enabled. The TLS 1.0 and SSL 3.0 security
protocols are considered more secure than SSL 2.0. By default, WinHTTP requests TLS 1.0 or SSL 3.0 when
negotiating an SSL connection, not SSL 2.0. SSL 2.0 support in WinHTTP can only be enabled by calling
WinHttpSetOptionWinHttpSetOption.
Cer tificate-revocation checking must be explicitly requested.Cer tificate-revocation checking must be explicitly requested. By default, when performing certificate
authentication, WinHTTP does not check whether the server's certificate has been revoked. Certificate-