Project

General

Profile

Bug #2860

Support #2696: security review

implement proper server certificate validation in spawned clients

Added by Greg Shah over 8 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
Due date:
% Done:

0%

billable:
No
vendor_id:
GCD
case_num:
version:

Related issues

Related to User Interface - Bug #2778: ./ask-gui.p fails if "Program name" is filled with a misspelled program name Closed 10/23/2015

History

#1 Updated by Greg Shah over 8 years ago

The current web client disables server certificate validation when connecting. This is insecure and makes our code vulnerable to man-in-the-middle (MITM) attacks. The solution is to provide the server's certificate and/or proper CA in a truststore that is sent down to the client via the temporary client session. Or, if the already existing keystore is enough, to make it work properly.

For more details, see #2778-97.

At a minimum this security issue affects the web client.

#2 Updated by Greg Shah over 8 years ago

  • Status changed from New to Closed

Fixed in task branch 2677a revision 11065.

Also available in: Atom PDF