Certificate Validation Disabled

Question

Certificate Validation Disabled

Opened this issue 8 years ago · 3 comments

The software disables certificate validation in several places, allowing an attacker who can modify traffic between the Kodi installation and YouTube to MiTM the connection, and observe and tamper with any information sent or received.

    import sys
    # starting with python 2.7.9 urllib verifies every https request
    if False == verify and sys.version_info >= (2, 7, 9):
        import ssl

        ssl_context = ssl.create_default_context()
        ssl_context.check_hostname = False
        ssl_context.verify_mode = ssl.CERT_NONE
        handlers.append(urllib2.HTTPSHandler(context=ssl_context))
        pass

Certificate validation is explicitly turned off for features such as login:

        # url
        url = 'https://www.youtube.com/o/oauth2/token'

        result = requests.post(url, data=post_data, headers=headers, verify=False)
        if result.status_code != requests.codes.ok:
            raise LoginException('Login Failed')

I suspect each instance of verify=False can simply be removed, assuming the system's trust store is properly configured.

Answer 1 · 2016-11-21T13:02:24.000Z

I believe simply switching to allow verification will cause issues for mac users and some linux distributions at the very least.
Think it would require a method to reliably find(no idea myself covering all os's) and provide the ca to the ssl context for verification.

Answer 2 · 2016-11-21T16:41:24.000Z

Requests provides a default trust store, so different operating systems shouldn't be a problem unless users are using very outdated versions of requests. An alternative would be to include the GeoTrust Global CA certificate which signs *.google.com and youtube.com and set the CA certificate path to that file (verify=/path/to/geotrust.cert)

Answer 3 · 2016-11-21T17:14:12.000Z

#116 should for now at least allow users to force verification from Settings - Advanced