From e894eb275eb1fa409751f9a2fa2b82e003aff81c Mon Sep 17 00:00:00 2001
From: Umberto Baldi <34278123+umbynos@users.noreply.github.com>
Date: Mon, 21 Aug 2023 12:18:18 +0200
Subject: [PATCH] Fix Improper Certificate Validation (#212)

Disabling TLS/SSL certificate verification might lead to attack scenarios where an attacker is able to install rouge certificates on the Arduino board. The attacker would need to be within network proximity of the victim to perform the attack.
---
 certificates/certutils.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/certificates/certutils.go b/certificates/certutils.go
index f1de8f2..bd272d6 100644
--- a/certificates/certutils.go
+++ b/certificates/certutils.go
@@ -32,7 +32,7 @@ import (
 // required to connect to that server from the TLS handshake response.
 func ScrapeRootCertificatesFromURL(URL string) (*x509.Certificate, error) {
 	conn, err := tls.Dial("tcp", URL, &tls.Config{
-		InsecureSkipVerify: true,
+		InsecureSkipVerify: false,
 	})
 	if err != nil {
 		logrus.Error(err)