Closed paveljamal closed 6 years ago
Currently there is no verification that the downloaded certificate can be trusted
That's what this code does: https://github.com/mreinstein/alexa-verifier/blob/master/validate-cert-uri.js
It ensures the address from which the certificate is pulled is served over https and comes from amazon.
Currently there is no verification that the downloaded certificate can be trusted, and the certificate is being taken at face value. This is critical in verification and is called out in Amazon's documentation:
Reference: https://developer.amazon.com/docs/custom-skills/host-a-custom-skill-as-a-web-service.html#checking-the-signature-of-the-request