Factorio Forums

www.factorio.com
https://forums.factorio.com/

[0.5.0] Updater should verify SSL certificate

https://forums.factorio.com/viewtopic.php?t=926

Page 1 of 1

[0.5.0] Updater should verify SSL certificate

Posted: Fri Jun 07, 2013 9:15 pm
by wrtlprnft
I noticed that you're using HTTPS for communication with your update service.

That's obviously a good thing, however I think you should verify the certificate of the server claiming to be www.factorio.com. As it is, I can easily sniff my own password by manipulating the DNS lookup and redirecting the request to my own HTTPS server.

Re: [0.5.0] Updater should verify SSL certificate

Posted: Fri Jun 07, 2013 11:19 pm
by slpwnd
That is a good (and early) observation. We are using axTLS as an SSL library for Linux and Win. We were unable to get it working properly with actual certificate verification. Therefore we just hacked it and used the encryption on the connection without cert verification. We will have a look into this in the near future but there is little documentation on axTLS and all over it is a bit of 1s and 0s magic to us:) On MacOSX we are using native SSL implementation so there the cert verification should work.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited