Man-In-The middle attack due to SSL CERT
emxia opened this issue · 2 comments
The default certificate generated by the FXServer is trusted implicitly by the FiveM Client.
Users should always be warned - or have the option to accept the risk of connecting to servers which present an TLS Certificate not signed by a trust root certificate authority such as let's encrypt.
It seems the certificate is generated by FXServer in the event that none is present.
Users should be generating their own SSL Certificates if it's for friends, and using a service like let's encrypt, or COMODO, etc, if it's monetized, since it will be easy to provide justification.
Nah. TLS is not used to provide secrecy here, it's only there because client libraries don't implement h2 over non-TLS.
Requiring users to set up a whole certificate renewal chain or 'get warned lol' is way out of scope and will only negatively impact the ecosystem.
Also, this is the wrong place for such issues/requests, for this is the server-data repo.