Security: TLS certificate validation disabled in wallet and miner clients allows MITM

[createkr]

Summary

The RustChain wallet and miner clients currently disable TLS certificate validation in their HTTP clients. This permits connections to endpoints presenting invalid or attacker-controlled certificates, which defeats the expected protection of HTTPS/TLS and enables machine-in-the-middle interception or response tampering on hostile networks.

Affected components

• rustchain-wallet/src/client.rs
• rustchain-miner/src/transport.rs

Impact

When these clients communicate with remote HTTPS endpoints, an active network attacker can impersonate a target service by presenting an invalid certificate that would normally be rejected. This can allow interception, response manipulation, and credential/session exposure depending on how the client is used.

Suggested fix

• Keep certificate validation enabled by default
• If an insecure development-only bypass is needed, require an explicit opt-in environment variable and document it clearly as unsafe
• Align wallet and miner behavior so both default to secure TLS verification

I have a scoped fix prepared and can open a PR immediately.

Wallet: RTC1d48d848a5aa5ecf2c5f01aa5fb64837daaf2f35

[createkr]

I opened a fix PR for this issue: #2049 Wallet: RTC1d48d848a5aa5ecf2c5f01aa5fb64837daaf2f35