Hi Peter, Peter Gutmann wrote: > Aaron Zauner <[email protected]> writes: > >> And still the case with most ruby deployments: >> https://github.com/search?q=OpenSSL%3A%3ASSL%3A%3AVERIFY_NONE&type=Code&utf8=%E2%9C%93 > > That produces nearly 49K results for Ruby, more than an order of magnitude > more than the next highest, Python. Is there any chance that we're seeing a > lot of false positives here, for example because it's being set to some > default initialisation value that's later overridden? The matching also seems > to be pretty fuzzy (there are 266 results for C code, which won't be doing the > above), but also things like (from the Python results): > > ctx.set_verify(SSL.VERIFY_PEER, _callback) > # ctx.set_verify(SSL.VERIFY_NONE, _callback) > > which is clearly a false positive. For the Ruby code there are a lot of > results found in "bypass_ssl" and "fix_ssl"-named items and similar, I'm > wondering whether this is mainstream SSL-usage code or some debug module that > happens to be included somewhere that the search is finding.
Sure there are a lot of false-positives, but I'd not expect them to be more than about 10-20% of the results the GitHub search found. Which still is a LOT. The issue with not verifying certificates (in for example ruby on rails apps) is very widespread. This stems simply from bad advice on stackoverflow/exchange by other coders "my app doesn't work what is this strange openssl error, i don't know crypto" - "just dont verify it works for me", a couple of the first hits on Google for the issue which will come up when Ruby coders look for a solution to their problem: bad or confusing advice: https://stackoverflow.com/questions/1113422/how-to-bypass-ssl-certificate-verification-in-open-uri http://situated.wordpress.com/2008/06/10/opensslsslsslerror-certificate-verify-failed-open-uri/ https://www.ruby-forum.com/topic/129530 http://notetoself.vrensk.com/2008/09/verified-https-in-ruby/ http://mofuken.blogspot.co.at/2012/12/ruby-open-uri-https-certificate-verify.html good advice: http://mislav.uniqpath.com/2013/07/ruby-openssl/ Clearly, this is an issue. Especially with code-reuse within the RoR community (which are probably more than 40% of the search results you see in the GitHub search). Aaron
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
