Package: librole-rest-client-perl Severity: important Dear maintainer,
Your package uses the Perl module HTTP::Tiny, but it does not force the verify_SSL attribute to a true value. By default, HTTP::Tiny does not validate the identity of server certificates. The documentation states that "Server identity verification is controversial and potentially tricky..." [1] As late as 2015, upstream has been doubling up: "we're not going to be responsible for the user's trust model" [2] I believe, on the other hand, that the encryption of a transmission has no value when talking to the wrong person. You can easily see HTTP::Tiny's useless and dangerous default in Role::REST::Client by running the script at the end of this message. Will you please turn on the verify_SSL attribute in HTTP::Tiny? Alternatively, please alert your users so they do not rely on standard HTTPS security guarantees when using your module. Kind regards Felix Lechner [1] https://metacpan.org/pod/HTTP::Tiny#SSL-SUPPORT [2] https://github.com/chansen/p5-http-tiny/issues/68 * * * #!/usr/bin/perl { package RESTExample; use Moo; with 'Role::REST::Client'; sub access { my ($self) = @_; my $response = $self->get('/'); return $response->data if $response->code == 200; } } my $badssl = RESTExample->new(server => 'https://self-signed.badssl.com/'); print $badssl->access;