SSL Validation Defaults to False

2016-04-21T18:27:18
ID NODEJS:104
Type nodejs
Reporter Mark Lee
Modified 2019-06-24T14:59:21

Description

Overview

Affected versions of electron-packager configure the generated application to disable SSL certificate verification by default.

This could allow an attacker with a privileged network position to launch a Man In The Middle (MITM) attack on the install process, intercepting the step where electron-packager downloads Electron for supported target platforms and architectures, and replacing the valid download with a tampered malicious one.

This only affects users using the electron-packager CLI. The strict-ssl option defaults to true for the node.js API.

Recommendation

  1. Update to version 7.0.0 or later.
  2. Delete the electron-download cache folder, which is by default located at ~/.electron.

References