[Security] WebSocket ssl Parameter Accepts False/None Without Warning #512
Description
Bug Name
WebSocket ssl Parameter Accepts False/None Without Warning
Attack Scenario
The WebSocket init_connection method passes configuration.https_agent directly to aiohttp.ws_connect(ssl=...). When ssl=False, aiohttp disables SSL verification entirely without any warning from the SDK.
Impact
A user who sets https_agent=False would silently disable TLS certificate verification for all WebSocket connections, enabling MITM attacks.
Components
File: common/src/binance_common/websocket.py (lines 164-170, 182-188). ssl parameter passed from configuration.https_agent.
Reproduction
- Create WebSocket configuration with https_agent=False.
- Connect to WebSocket API.
- SSL verification is silently disabled -- no warning or error.
Fix
Add a validation check: if https_agent is False, raise a warning or error. Document the security implications clearly.
Details
Finding ID: SEC-05
Severity: Low
Researcher: Independent Security Researcher -- Mefai Security Team