libpagekite icon indicating copy to clipboard operation
libpagekite copied to clipboard
verified publisher icon pagekite

SSL certificates are not yet verified

Open pagekite opened this issue 11 years ago • 2 comments

When connecting with HTTPS, the SSL certs are not yet verified, making the whole thing insecure.

pagekite avatar Jan 08 '14 01:01 pagekite

Further details on this. In order to fix this issue, libpagekite needs to support the following:

- Discovery & use of OS certificate authority stores.
- Support for a TOFU model of some sort.
- Specification of acceptable certificate details (fingerprints, names) via. API methods.

Whether we use TOFU or the standard SSL PKI (CA certs) model is an unanswered question at this point; PKI is the standard but it has some nasty failure modes.

This is a particularly sensitive part of the app, because if we refuse connections because a certificate doesn't validate, there is a risk of false positives taking customer devices offline. So although security is important, we don't want to make things less reliable.

pagekite avatar Mar 07 '16 18:03 pagekite

Progress was made in b8fba94350f933c6f2bc20e723efbb39d78320bf, f5f26701abd273d87c7897686c630fe183fce668, 3e06b511d49e0532a94f9656d0d3596084f05f4b, 6d80418a9b4160a8bb0e2da9ceffa396f0028cf4 ... but we're not there yet.

BjarniRunar avatar Mar 08 '16 11:03 BjarniRunar