Please do not disable peer cert verification during update check

Question

Please do not disable peer cert verification during update check

rgov opened this issue 4 years ago · comments

https://github.com/analogdevicesinc/iio-oscilloscope/blob/master/phone_home.c#L58-L63

This disables certificate validation when checking for updates. Please don't do this. Disabling certificate validation allows a malicious network to modify the update information, and could potentially lead a user to install a malicious update.

This is not necessary because the updates are provided by GitHub which has a valid certificate. If the client is unable to verify GitHub's certificate, it is a misconfiguration of their system. The best behavior in this case is to fail, rather than silently continue.

Dan Nechita · Answer 1 · Mon Nov 23 2020 19:15:28 GMT+0800 (China Standard Time)

Thank you for pointing this out!

Alexandru Ardelean · Answer 2 · Mon Nov 23 2020 19:51:28 GMT+0800 (China Standard Time)

closing now, since PR was merged
[edit] feel free to re-open issue if it's the case