You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The gstreamer pipeline uses "uridecodebin", which will default to "souphttpsrc" for HTTP/HTTPS streams. "souphttpsrc" doesn't verify SSL certificates, which means any streaming from an authenticated service is vulnerable to a man-in-the-middle attack using a self-signed certificate, which could steal login credentials or authentication tokens, depending on the service.
There is another HTTP handler, neonhttpsrc, in gstreamer-bad-plugins which does verify SSL certificates. I'd suggest that the pipeline be modified when the URI scheme is "https" to use "neonhttpsrc ! decodebin" instead of "uridecodebin".
From alan.briolat on July 29, 2012 04:48:21
The gstreamer pipeline uses "uridecodebin", which will default to "souphttpsrc" for HTTP/HTTPS streams. "souphttpsrc" doesn't verify SSL certificates, which means any streaming from an authenticated service is vulnerable to a man-in-the-middle attack using a self-signed certificate, which could steal login credentials or authentication tokens, depending on the service.
There is another HTTP handler, neonhttpsrc, in gstreamer-bad-plugins which does verify SSL certificates. I'd suggest that the pipeline be modified when the URI scheme is "https" to use "neonhttpsrc ! decodebin" instead of "uridecodebin".
Original issue: http://code.google.com/p/clementine-player/issues/detail?id=3077
The text was updated successfully, but these errors were encountered: