From 085d29d7cb3ff31ed5462bd7e17cdabedab1b328 Mon Sep 17 00:00:00 2001
From: Joe Horsnell <github@joehorsnell.com>
Date: Tue, 10 Apr 2018 16:56:20 +0100
Subject: [PATCH] Enable certificate verification on downloads

Disabling TLS server certificate verification undermines the security of HTTPS
(ie, one might as well use HTTP) and is considered extremely bad practice:

* https://mislav.net/2013/07/ruby-openssl/
* https://brakemanscanner.org/docs/warning_types/ssl_verification_bypass/

Looks like it's been there since the initial release, so probably an
oversight?
---
 lib/browserstack/localbinary.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/browserstack/localbinary.rb b/lib/browserstack/localbinary.rb
index 1e9c77c..72cfcb9 100644
--- a/lib/browserstack/localbinary.rb
+++ b/lib/browserstack/localbinary.rb
@@ -6,7 +6,7 @@
 require 'browserstack/localexception'
 
 module BrowserStack
-  
+
 class LocalBinary
   def initialize
     host_os = RbConfig::CONFIG['host_os']
@@ -39,7 +39,7 @@ def download(dest_parent_dir)
     binary_path = File.join(dest_parent_dir, "BrowserStackLocal#{".exe" if @windows}")
     http = Net::HTTP.new(uri.host, uri.port)
     http.use_ssl = true
-    http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
 
     res = http.get(uri.path)
     file = open(binary_path, 'wb')