Package: libsearch-elasticsearch-perl Severity: important Dear maintainer,
Your package uses the Perl module HTTP::Tiny, but it does not force the verify_SSL attribute to a true value. By default, HTTP::Tiny does not validate the identity of server certificates. The documentation states that "Server identity verification is controversial and potentially tricky..." [1] As late as 2015, upstream has been doubling up: "we're not going to be responsible for the user's trust model" [2] Similarly, your documentation states "By default, no validation of the remote host is performed." [3] I believe that the encryption of a transmission has no value when talking to the wrong person. You can easily see HTTP::Tiny's useless and dangerous default by running the script at the end of this message. Will you please turn on the verify_SSL attribute in HTTP::Tiny? Kind regards Felix Lechner [1] https://metacpan.org/pod/HTTP::Tiny#SSL-SUPPORT [2] https://github.com/chansen/p5-http-tiny/issues/68 [3] https://metacpan.org/pod/Search::Elasticsearch::Cxn::HTTPTiny * * * #!/usr/bin/perl use HTTP::Tiny; my $response = HTTP::Tiny->new->get('https://self-signed.badssl.com/'); die "Failed!\n" unless $response->{success}; print "$response->{status} $response->{reason}\n"; while (my ($k, $v) = each %{$response->{headers}}) { for (ref $v eq 'ARRAY' ? @$v : $v) { print "$k: $_\n"; } } print $response->{content} if length $response->{content};