You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jul 24, 2023. It is now read-only.
Currently, this Gem does not verify server certificates by default. It does check whether the common name or subjectAltName matches, but does not verify whether the certificate was issued by a trusted certificate authority, effectively making that check useless. The code does print a warning when making the request but I think that it does not communicate the full impact of the problem (a MITM attack would make it possible to fully impersonate an OpenID provider, see https://openid.net/specs/openid-authentication-2_0.html#anchor41 section 15.1.2) and is probably ignored by a lot of users.
It is possible to manually enable server certificate verification by specifying a CA bundle, but it is not clear why the verification could not enabled by default without requiring users to download a CA bundle from somewhere on the internet which might or might not contain the CAs the user really wants to trust. Net::HTTP is verifying server certificates by default since 2010 (see https://bugs.ruby-lang.org/issues/2579) and can use the operating system's default CAs just fine, but ruby-openid deliberately disables the verification.
So, please make server certificate verification the default as long as it is not very explicitly disabled even when not specifying a CA path.
The text was updated successfully, but these errors were encountered:
Currently, this Gem does not verify server certificates by default. It does check whether the common name or subjectAltName matches, but does not verify whether the certificate was issued by a trusted certificate authority, effectively making that check useless. The code does print a warning when making the request but I think that it does not communicate the full impact of the problem (a MITM attack would make it possible to fully impersonate an OpenID provider, see https://openid.net/specs/openid-authentication-2_0.html#anchor41 section 15.1.2) and is probably ignored by a lot of users.
It is possible to manually enable server certificate verification by specifying a CA bundle, but it is not clear why the verification could not enabled by default without requiring users to download a CA bundle from somewhere on the internet which might or might not contain the CAs the user really wants to trust. Net::HTTP is verifying server certificates by default since 2010 (see https://bugs.ruby-lang.org/issues/2579) and can use the operating system's default CAs just fine, but ruby-openid deliberately disables the verification.
So, please make server certificate verification the default as long as it is not very explicitly disabled even when not specifying a CA path.
The text was updated successfully, but these errors were encountered: