-
Notifications
You must be signed in to change notification settings - Fork 68
CERTIFICATE_VERIFY_PROC_JS_CHECK
When using HTTPS as the transport, security is provided by Transport Layer Security (TLS). TLS, and its predecessor SSL, are widely used on the Internet to authenticate a service to a client, and then to provide confidentiality to the channel. This check looks for common development errors which results in insecure apps due to mistakenly opting out of X.509 certificate validation, or importing untrusted certificates.
Opting out of TLS's X.509 certificate validation makes it possible to eavesdrop on and tamper with the network communication between the user and the application.
If nodeIntegration
is also enabled, an attacker can inject malicious JavaScript and compromise the user’s host.
Verify that the application does not explicitly opt out of TLS validation.
Look for occurrences of setCertificateVerifyProc
:
win.webContents.session.setCertificateVerifyProc((request, callback) => {
const { hostname } = request;
if (hostname === 'doyensec.com') {
callback(0) //success and disables certificate verification
}
else {
callback(-3) //use the verification result from chromium
}
})
Or importCertificate
:
import { app } from "electron";
let options, callback;
app.importCertificate(options, callback);