Rails - Jul 2008 - Security weakness in ActiveResource?

For a project, we are considering a little-less-than-trivial HTTPS
setup for communication between components. Amongst other things, we
need RoR to consume a REST interface implemented by a Java servlet.
For reasons beyond the scope of this post, we need the client to
validate the server not against the DNS name of the server but on some
application specific "Common Name" in the server certificate.

That''s why I was examining today exactly how an ActiveResource client
in RoR handles server verification. I was suprised to see that there
is no validation at all :-(

From the  file connection.rb of the ActiveResource source (I checked
both version 2.0.2 and 2.1.0)

      def http
        http             = Net::HTTP.new(@site.host, @site.port)
        http.use_ssl     = @site.is_a?(URI::HTTPS)
        http.verify_mode = OpenSSL::SSL::VERIFY_NONE if http.use_ssl
        http.read_timeout = @timeout if @timeout # If timeout is not
set, the default Net::HTTP timeout (60s) is used.
        http
      end

This function seems to be called each time a request is made to the
server. If SSL is used, it sets verify_mode to VERIFY_NONE.
Furhtermore, I could not find method or property to override this
default.

The file base.rb in ActiveResource states:

  # For obvious security reasons, it is probably best if such services
are available
  # over HTTPS.

Without server verification, however, it seems to me that not much
security is left. RoR applications acting as a REST client using
ActiveResource could easily be lured into disclosing sensitive
information to impersonated servers.

Is this indeed to be considered a security flaw in ActiveResource or
am I missing something?

-- Duco


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

duco wrote:
> Is this indeed to be considered a security flaw in ActiveResource or
> am I missing something?
I would definitely consider it a security flaw.  It''s probably set to
not verify so people can use self-signed certs easily.  An option to not
verify would probably be a good idea (where the default is that it does
verify).
> 
> -- Duco
> 
> 
> > 

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---