Skip to content

TLS certificate validation is disabled #546

Description

@scottdraves

Summary

Networking.cpp:311-313 explicitly disables TLS certificate validation for every libcurl request the client makes:

if (!Verify(curl_easy_setopt(m_pCurl, CURLOPT_SSL_VERIFYHOST, 0)))
    return false;
if (!Verify(curl_easy_setopt(m_pCurl, CURLOPT_SSL_VERIFYPEER, 0)))
    return false;

With both options set to 0, libcurl accepts any certificate — expired, self-signed, wrong hostname, or attacker-supplied. All HTTPS traffic to *.infinidream.ai (auth, dream metadata, downloads, session tokens) is vulnerable to a man-in-the-middle on any untrusted network (coffee shop Wi-Fi, hotel networks, compromised routers, etc.).

This was flagged as Critical in the 2026-04-10 Windows security scan (metarepo docs/plans/2026-04-10-windows-client-security-scan.md), but the code is shared cross-platform, so macOS is affected too.

History

git log -S traces the two lines to commit 328f20d8 by Daniel Svoboda, Feb 4 2017, titled "Changed protocol to https". The verification bypass was added in the very same commit that flipped the client from HTTP to HTTPS — almost certainly a "make it work" workaround for a cert issue at the time (self-signed staging cert, hostname mismatch, etc.). It has been shipping unchanged for ~9 years and predates the current infinidream.ai infrastructure entirely.

(A 2023 whitespace reformat — "IndentWidth = 4" — is what git blame points at directly, but that's not the real origin.)

Proposed fix

Remove the two setopt calls. libcurl's defaults are VERIFYPEER=1 and VERIFYHOST=2 (both enabled), which is what we want.

  • macOS: the app links /usr/lib/libcurl.4.dylib, which is built against SecureTransport and uses the system keychain. Verification will "just work" with no CA bundle shipped.
  • Windows (windows-vs2022-new branch): depends on the TLS backend libcurl is built against. Schannel uses the Windows cert store and works out of the box. OpenSSL (likely, given the bundled openssl-1.0.2k/) needs a cacert.pem shipped with the installer and CURLOPT_CAINFO pointed at it — otherwise every HTTPS request will fail with CURLE_SSL_CACERT. This should be verified on that branch before merging.

Test plan

  • Remove the two lines, build macOS app, confirm sign-in / dream downloads still work against production and staging
  • Confirm by pointing the client at a server with an invalid cert (e.g. curl-style local MITM or a self-signed test server) that the connection is now refused rather than silently trusted
  • Coordinate with the Windows port author on CA bundle strategy before landing the shared-code change

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions