Summary
Networking.cpp:311-313 explicitly disables TLS certificate validation for every libcurl request the client makes:
if (!Verify(curl_easy_setopt(m_pCurl, CURLOPT_SSL_VERIFYHOST, 0)))
return false;
if (!Verify(curl_easy_setopt(m_pCurl, CURLOPT_SSL_VERIFYPEER, 0)))
return false;
With both options set to 0, libcurl accepts any certificate — expired, self-signed, wrong hostname, or attacker-supplied. All HTTPS traffic to *.infinidream.ai (auth, dream metadata, downloads, session tokens) is vulnerable to a man-in-the-middle on any untrusted network (coffee shop Wi-Fi, hotel networks, compromised routers, etc.).
This was flagged as Critical in the 2026-04-10 Windows security scan (metarepo docs/plans/2026-04-10-windows-client-security-scan.md), but the code is shared cross-platform, so macOS is affected too.
History
git log -S traces the two lines to commit 328f20d8 by Daniel Svoboda, Feb 4 2017, titled "Changed protocol to https". The verification bypass was added in the very same commit that flipped the client from HTTP to HTTPS — almost certainly a "make it work" workaround for a cert issue at the time (self-signed staging cert, hostname mismatch, etc.). It has been shipping unchanged for ~9 years and predates the current infinidream.ai infrastructure entirely.
(A 2023 whitespace reformat — "IndentWidth = 4" — is what git blame points at directly, but that's not the real origin.)
Proposed fix
Remove the two setopt calls. libcurl's defaults are VERIFYPEER=1 and VERIFYHOST=2 (both enabled), which is what we want.
- macOS: the app links
/usr/lib/libcurl.4.dylib, which is built against SecureTransport and uses the system keychain. Verification will "just work" with no CA bundle shipped.
- Windows (
windows-vs2022-new branch): depends on the TLS backend libcurl is built against. Schannel uses the Windows cert store and works out of the box. OpenSSL (likely, given the bundled openssl-1.0.2k/) needs a cacert.pem shipped with the installer and CURLOPT_CAINFO pointed at it — otherwise every HTTPS request will fail with CURLE_SSL_CACERT. This should be verified on that branch before merging.
Test plan
Summary
Networking.cpp:311-313explicitly disables TLS certificate validation for every libcurl request the client makes:With both options set to 0, libcurl accepts any certificate — expired, self-signed, wrong hostname, or attacker-supplied. All HTTPS traffic to
*.infinidream.ai(auth, dream metadata, downloads, session tokens) is vulnerable to a man-in-the-middle on any untrusted network (coffee shop Wi-Fi, hotel networks, compromised routers, etc.).This was flagged as Critical in the 2026-04-10 Windows security scan (metarepo
docs/plans/2026-04-10-windows-client-security-scan.md), but the code is shared cross-platform, so macOS is affected too.History
git log -Straces the two lines to commit328f20d8by Daniel Svoboda, Feb 4 2017, titled "Changed protocol to https". The verification bypass was added in the very same commit that flipped the client from HTTP to HTTPS — almost certainly a "make it work" workaround for a cert issue at the time (self-signed staging cert, hostname mismatch, etc.). It has been shipping unchanged for ~9 years and predates the current infinidream.ai infrastructure entirely.(A 2023 whitespace reformat — "IndentWidth = 4" — is what
git blamepoints at directly, but that's not the real origin.)Proposed fix
Remove the two
setoptcalls. libcurl's defaults areVERIFYPEER=1andVERIFYHOST=2(both enabled), which is what we want./usr/lib/libcurl.4.dylib, which is built against SecureTransport and uses the system keychain. Verification will "just work" with no CA bundle shipped.windows-vs2022-newbranch): depends on the TLS backend libcurl is built against. Schannel uses the Windows cert store and works out of the box. OpenSSL (likely, given the bundledopenssl-1.0.2k/) needs acacert.pemshipped with the installer andCURLOPT_CAINFOpointed at it — otherwise every HTTPS request will fail withCURLE_SSL_CACERT. This should be verified on that branch before merging.Test plan
curl-style local MITM or a self-signed test server) that the connection is now refused rather than silently trusted