SECURITY ADVISORY: Discord Messenger does not check the server's certificate #45
Comments
|
More precisely, this assumption was fine back when Discord Messenger was still being developed, but not now. |
|
The plan is to export the Baltimore CyberTrust Root certificate and embed it into the executable as a resource. Then it'd be written to the cache and loaded by httplib.
|
|
To fix this, I ought to make httplib load the certificates from Discord. I don't know how to do that, so I'll do the next best thing - enable server verification by default and disable it if required to log in. |
|
NOTE: HTTPS and Websocket traffic is always encrypted. However, disabling server verification puts you at risk of accessing a compromised service. |
|
Ok, seems like I will also need to get websocketpp to work. Tried adding these to the tls init handler but it won't even connect to the websocket gateway on Win11 due to TLS handshake errors: ctx->set_default_verify_paths();
ctx->set_verify_mode(websocketpp::lib::asio::ssl::verify_peer | websocketpp::lib::asio::ssl::verify_fail_if_no_peer_cert); |
|
I think this issue should be unpinned since it has been fixed. |
|
True. There isn't a need to remind me though. |
Hello everyone.
I have just realized that me disabling server verification (src/windows/NetworkerThread.cpp) leads to the possibility of a man in the middle attack.
If using V1.00, ensure that you can access Discord and don't get certificate errors while connected to the network you're trying to use Discord Messenger from.
This will be fixed in a future version by bundling the certificate(s) for Discord into the client.
The text was updated successfully, but these errors were encountered: