Bug #2860
Support #2696: security review
implement proper server certificate validation in spawned clients
Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
Due date:
% Done:
0%
billable:
No
vendor_id:
GCD
case_num:
version:
Related issues
History
#1 Updated by Greg Shah over 8 years ago
The current web client disables server certificate validation when connecting. This is insecure and makes our code vulnerable to man-in-the-middle (MITM) attacks. The solution is to provide the server's certificate and/or proper CA in a truststore that is sent down to the client via the temporary client session. Or, if the already existing keystore is enough, to make it work properly.
For more details, see #2778-97.
At a minimum this security issue affects the web client.
#2 Updated by Greg Shah over 8 years ago
- Status changed from New to Closed
Fixed in task branch 2677a revision 11065.