On Tue, 3 Dec 2002, Paul Hoza wrote:

> Fantastic! Thanks for the info. I'm still somewhat unclear on what kind
> of security risk one introduces by using -k, though. Is there a risk of
> someone faking your cert somehow? As you may see, I'm paranoid about these
> things of which I know little. :)

Let me give you the extensive reply:

Using -k with curl 7.10.* gives you the same security level curl offered out
of the box before 7.10: basicly none at all.

When you use SSL, you most likely want an encrypted connection but you also
want to make sure that you're truly talking to the *correct* server and not a
man in the middle, an imposing server. The only way to make sure, is to
verify the server's certficate against a CA cert bundle that you have
installed.

Starting in 7.10, curl does the server certificate by default unless you
explicitly disables it. It uses the CA cert bundle distributed with the
source and installed at 'make install' time. You can use command line options
to use other bundles at will.

-k/--insecure disables the verification of the server's certificate and thus
you basicly say you trust the server without checking it.

I hope this clarifies somewhat.

-- 
 Daniel Stenberg -- curl, cURL, Curl, CURL. Groks URLs.
-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T 
handheld. Power & Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en