From d71c6c870ad1f9ddf0a079cf837e2940ff0e2920 Mon Sep 17 00:00:00 2001
From: Umberto Baldi <34278123+umbynos@users.noreply.github.com>
Date: Mon, 21 Aug 2023 11:11:12 +0200
Subject: [PATCH] Fix Improper Certificate Validation

Disabling TLS/SSL certificate verification might lead to attack scenarios where an attacker is able to install rouge certificates on the Arduino board. The attacker would need to be within network proximity of the victim to perform the attack.
---
 certificates/certutils.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/certificates/certutils.go b/certificates/certutils.go
index f1de8f2..bd272d6 100644
--- a/certificates/certutils.go
+++ b/certificates/certutils.go
@@ -32,7 +32,7 @@ import (
 // required to connect to that server from the TLS handshake response.
 func ScrapeRootCertificatesFromURL(URL string) (*x509.Certificate, error) {
 	conn, err := tls.Dial("tcp", URL, &tls.Config{
-		InsecureSkipVerify: true,
+		InsecureSkipVerify: false,
 	})
 	if err != nil {
 		logrus.Error(err)