No SSL server certificate validation → No SSL MITM protection #17
Conversation
|
@jaseg thanks for this! I'd rather not hard-code the public key as (at least in my experience) they have a tendency to change. (The gist gem was broken for many months for this reason). I'm happy to accept the first patch but I need to test it on a few platforms first (again I've seen oddness due to homebrew OpenSSL having different trust roots from OSX; that is a problem for https://gemfury.com.) In general I'm not too worried about a MitM attack because you're uploading something that's going to be accessed over http anyway. I guess the best solution would be to get a free ssl cert and then hardcode it's public key (and then always renew using the same key), I'm just lazy :p |
|
You would not even have to get a free cert, you could just make a self-signed one since only one client will ever be talking through that cert, and that client could just have that cert hard-coded as the only allowed CA cert. |
|
Ping? Depending on how lazy you are I can generate you a self-signed cert if you want :) |
Even if using HTTPS, you are manually deactivating SSL server cert verification.
https://github.com/ConradIrwin/showterm/blob/5df9541b381037c4dba5208d56340e4f29fe5847/lib/showterm.rb#l168
I just checked the hard-coded HTTPS URL, and my firefox says the certificate is valid, so ruby should not say otherwise and this is not even necessary.
In this case, an even better option than just enabling SSL cert verification is to enable it and hardcode the server cert's public key(s). Since, after all, the URL is hardcoded, too, this does not make much of a difference except for increasing transport security.
The only thing left to do now is to move to a host with proper SSL support, since otherwise anybody with a heroku account can still MITM you because there is only one cert for all of *.herokuapp.com.