Security weakness in ActiveResource?

For a project, we are considering a little-less-than-trivial HTTPS
setup for communication between components. Amongst other things, we
need RoR to consume a REST interface implemented by a Java servlet.
For reasons beyond the scope of this post, we need the client to
validate the server not against the DNS name of the server but on some
application specific “Common Name” in the server certificate.

That’s why I was examining today exactly how an ActiveResource client
in RoR handles server verification. I was suprised to see that there
is no validation at all :frowning:

From the file connection.rb of the ActiveResource source (I checked
both version 2.0.2 and 2.1.0)

  def http
    http             =, @site.port)
    http.use_ssl     = @site.is_a?(URI::HTTPS)
    http.verify_mode = OpenSSL::SSL::VERIFY_NONE if http.use_ssl
    http.read_timeout = @timeout if @timeout # If timeout is not

set, the default Net::HTTP timeout (60s) is used.

This function seems to be called each time a request is made to the
server. If SSL is used, it sets verify_mode to VERIFY_NONE.
Furhtermore, I could not find method or property to override this

The file base.rb in ActiveResource states:

For obvious security reasons, it is probably best if such services

are available

over HTTPS.

Without server verification, however, it seems to me that not much
security is left. RoR applications acting as a REST client using
ActiveResource could easily be lured into disclosing sensitive
information to impersonated servers.

Is this indeed to be considered a security flaw in ActiveResource or
am I missing something?

– Duco

duco wrote:

Is this indeed to be considered a security flaw in ActiveResource or
am I missing something?

I would definitely consider it a security flaw. It’s probably set to
not verify so people can use self-signed certs easily. An option to not
verify would probably be a good idea (where the default is that it does