Certificate checks are off

[komaxx]

Thank you for the plugin!

When scanning the code, I've found the following in http_proxy.dart:

var client = super.createHttpClient(context);
    client.badCertificateCallback =
            (X509Certificate cert, String host, int port) {
      return true;
    };
    return client;

If I'm not mistaken, then that effectively turns off all certificate checks - any communication done with this http client is not protected against a wide range of attacks!

Is there a way to use proxies without disabling certificate checks?
If not I think there should be strong warning somewhere that the plugin should only be used for non-sensitive data or dev environments.

[wslaimin]

Good suggestion.I will add some warning in README.

[tp]

What's the reason to use that badCertificateCallback overwrite in the first place?

In our app we apply the proxy settings manually to our HTTP client and don't need to disable that check (just double checked this while reading about the security concerns about this package; we just use system_proxy and then set the proxy ourselves).

[vanyasem]

@tp I believe it's for Charles Proxy, which sniffs HTTPS traffic for debugging purposes, and thus requires you to install a self-signed CA certificate in the platform store

Dart's http package ignores the platform store, and uses it's own store of CA certificates, which causes an error for Charles users

As the development of such plugins is often motivated by the desire to use Charles Proxy with Flutter, the fact that badCertificateCallback was overwritten in the plugin makes sense

Although I believe it's better to make the overwrite optional, maybe by a flag in the constructor for use cases such as yours

[johnstef99]

Check this pull request #11