Rather than setting the HTTPSecureSocket.Secure property directly, I want to use the URL to determine it, something like this:
Sub DoSomething (url As String)
url = url.Trim
dim h as new HTTPSecureSocket
h.Secure = url.Left( 6 ) = "https:"What’s the downside to that approach?
That’s what I actually do with a subclass of HTTPSecureSocket. Haven’t had any issues so far!
Thanks Ashot, I’m going to do it just that way.
[quote=156632:@Kem Tekinay]Rather than setting the HTTPSecureSocket.Secure property directly, I want to use the URL to determine it, something like this:
Sub DoSomething (url As String)
url = url.Trim
dim h as new HTTPSecureSocket
h.Secure = url.Left( 6 ) = "https:"What’s the downside to that approach?[/quote]
That you’re not using enough of the url 
h.Secure = url.Left( 8 ) = “https://”
This is doing a unicode-savy string comparison using the “=” operator, so that Https and httPs will both match. As will all variants using bizarre unicode points that map to the same letters. This may be a case where doing a binary string comparison after using Lower() might be safer.
The possible attack vector here would be to craft a non-ASCII url which looks like “https” but is actually composed of invalid unicode code points which somehow tricks your code into setting h.Secure to the wrong setting.
It all depends on whether the URL scheme itself is unicode or not. Anyone know? http://en.wikipedia.org/wiki/URI_scheme says that the lowercase versions are canonical, but I’m not sure if they can be unicode points or not?
Perhaps a very esoteric concern, probably what you are doing is fine.