c - Is InternetOpenUrl function on Windows secure enough? If not, how to make it stronger? -

the internetopenurl() documentation says:

wininet functions use simple check against certificates comparing matching host names , simple wildcarding rules.

that suggests it's not doing much, , can circumvented e.g. forging self-signed certificate.

on other hand, kb 182888 "how handle invalid certificate authority error wininet" suggests wininet functions indeed checking root ca.

what truth? internetopenurl() fail if cert not valid. or if not fail, verify cert ourselves, in simplest possible way. how can it?

tl; dr; yes, internetopenurl() checks certificate authority default.

i did little test:

#include <cassert> #include <iostream> #include <windows.h> #include <wininet.h>  int main(int argc, char *argv[]) {     hinternet internet = internetopena("test agent",                                       internet_open_type_direct,                                       null,                                       null,                                       0);     assert(internet != null);     char url[] = "https://urlgoeshere";     hinternet connection = internetopenurla(internet,                                            url,                                            null,                                            0,                                            0,                                            null);     std::cout << "error while opening url " << url << " : "               << getlasterror()               << " handle: " << connection << std::endl;       return 0; } 

and yes, when using self-signed certificate returns error code 12045, error_internet_invalid_ca.