qBittorrent, a well-known file sharing application that has existed since 2006, has been accepting almost any SSL certificate for domains and addresses in its DownloadManager for over 14 years. Recently, this vulnerability has been fixed. The commit that opened up this security issue was made in April 2010, and it was quite straightforward; it merely altered the default setting of SSL verification from enabled to disabled. This change eliminated annoying security warnings that could frustrate users trying to download content from untrusted sources. As of October 28, 2024, with the release of version 5.0.1, the default setting has been switched back to enabled. It's important to mention that qBittorrent did not provide any explanation for this adjustment and did not inform users in any notable way, apart from the regular patch notes that come with new updates.
Understanding SSL Certificates
SSL certificates serve as security tokens that perform two main functions; they confirm that the web traffic source is legitimate and enable the encryption of data transmitted over that connection. Since BitTorrent is primarily a peer-to-peer file transfer protocol, it’s logical to think that users might receive safe files from personal servers or even their home computers, which may not have valid SSL certificates. With the verification check turned off, users could interact with and download files from these sources without complications.
Risks of Disabled SSL Verification
However, the downside is that not having an SSL certificate, or accepting a fake one, allows virtually any web traffic source from any server to impersonate the actual site the user intends to access. This poses a risk of hijacking traffic, potentially enabling malicious users to steal data from either the host or user systems and even inject harmful code. Such man-in-the-middle attacks can bypass many standard security measures, including firewalls, which usually protect users from threats.
The option that determines whether the application will accept connections without validating the SSL certificate remains available to users. Those willing to take the chance can simply disable it. The average user who plugs in and plays with the app is not expected to explore the settings beforehand or understand how SSL certificates function and the dangers associated with keeping this setting disabled, making this change a positive step for improving app security.
qBittorrent | Bleeping Computer | Sharp Security