[0.5.0] Updater should verify SSL certificate

Bugs that are actually features.
Post Reply
Copy link
wrtlprnft
Fast Inserter
Fast Inserter
Posts: 155
Joined: Thu Feb 21, 2013 8:49 pm
Contact:
Contact wrtlprnft

[0.5.0] Updater should verify SSL certificate

Post by wrtlprnft »

I noticed that you're using HTTPS for communication with your update service.

That's obviously a good thing, however I think you should verify the certificate of the server claiming to be www.factorio.com. As it is, I can easily sniff my own password by manipulating the DNS lookup and redirecting the request to my own HTTPS server.
Top
slpwnd
Factorio Staff
Factorio Staff
Posts: 1835
Joined: Sun Feb 03, 2013 2:51 pm
Contact:
Contact slpwnd

Re: [0.5.0] Updater should verify SSL certificate

Post by slpwnd »

That is a good (and early) observation. We are using axTLS as an SSL library for Linux and Win. We were unable to get it working properly with actual certificate verification. Therefore we just hacked it and used the encryption on the connection without cert verification. We will have a look into this in the near future but there is little documentation on axTLS and all over it is a bit of 1s and 0s magic to us:) On MacOSX we are using native SSL implementation so there the cert verification should work.
Top
Post Reply

Return to “Not a bug”