CVE-2015-1828: HTTPS MitM vulnerability in http.rb:https://groups.google.com/forum/?hl=en#!topic/httprb/jkb4oxwZjkU …
-
-
@bascule yup. Can think of two or three ways you could pop Ruby but not a browser... -
@sleevi_ so far: not verifying the chain, not verifying the hostname, and “custom” unmanaged truststores… -
@sleevi_ I am guessing there are many Ruby client libs that are vulnerable to at least one of those
End of conversation
New conversation -
-
-
-
@justinleitgeb@bascule Non-exhaustive case is fine; only those two matter. Lack of else falls through to the ret false case. -
-
@justinleitgeb@sleevi_ this code needs some love and de-regexping -
@bascule@justinleitgeb Go get yourself some more CVEs. For ex, Moz did a CVE for wildcard matching IDNA names - which this code does.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.