You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
tlsConf:=&tls.Config{
RootCAs: pool,
// Hologram only uses TLS to ensure the credentials that go across the wire are kept secret, and since go uses// ECDHE by default, we actually don't care about leaking keys or authenticating either end of the connection.InsecureSkipVerify: true,
}
Is that a reasonable assumption? Does it allow MITM-ing the hologram server connection?
The text was updated successfully, but these errors were encountered:
Good catch. I don't think is a reasonable assumption. The reason being that if we aren't authenticating the connection, then we could be doing ECDHE with a MITM which would mean a MITM could acquire the credentials that are sent.
That's what I thought. Here's what would make me happy: the server optionally listens with no SSL. I already run this thing behind an AWS ELB, and could just terminate SSL at the ELB and use a managed certificate on that side. The client should check certificates by default.
From here: https://github.com/AdRoll/hologram/blob/master/transport/remote/client.go#L37-L42
Is that a reasonable assumption? Does it allow MITM-ing the hologram server connection?
The text was updated successfully, but these errors were encountered: