- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: go-security/tls-skip-verify
Language: Go
Severity: Info
Category: Security
CWE: 295
The Transport Layer Security (TLS) protocol serves to secure communications between a client and server in a network, so it’s integral to maintaining the integrity and confidentiality of data transmission.
In the Go programming language, a common pitfall is that developers sometimes set the parameter InsecureSkipVerify
of tls.Config
to true
to simplify coding or avoid certificate validation errors during testing. However, this parameter must never be set to true
in a production environment.
When InsecureSkipVerify
is set to true
, the TLS verification process is bypassed entirely. Essentially, this action is skipping the very phase that confirms the server identity, leading to possibilities of “Man-in-the-Middle” (MitM) attacks. MitM attacks occur when a malicious actor intercepts and potentially alters the communication between two parties without their knowledge.
By validating the server’s certificate, the client verifies the server’s identity and ensures that it’s safe to transmit data. If InsecureSkipVerify
is set to true
, even a server with an invalid or compromised certificate may appear trustworthy, posing significant security risks.
Therefore, always ensure that the InsecureSkipVerify
parameter is set to ‘false’ to avoid these possible security breaches. Instead of turning this parameter to ’true’ to fix certificate issues, find and resolve the reason the certificate is considered invalid. This could involve renewing expired certificates, trusting a self-signed certificate, or fixing hostname mismatches. This way, you can uphold the authenticity and privacy of your application’s client-server interactions.
package main
import (
"crypto/tls"
"fmt"
"net/http"
)
func main() {
tr := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}
}
package main
import (
"crypto/tls"
"fmt"
"net/http"
)
func main() {
tr := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: false},
}
}