curl / Mailing Lists / curl-users / Single Mail

curl-users

Re: Deprecate unclear -k flag in favour of only using explicit --insecure

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Tue, 18 Apr 2017 18:04:14 +0200 (CEST)

On Mon, 17 Apr 2017, Rodrigo Zanatta Silva via curl-users wrote:

> I really don't understand how an attacker can use the TLS certificates for
> evil. All problems I have with it in real world was about this two options:
>
> * The certificates expired because the site don't pay for it
> * They buy a certificate from a company that for some reason are not
> trusted.
>
> What is the most common REAL problem we can find about it jungle? What evil
> people are doing?

When you use curl -k or --insecure, curl skips the certificate check. It will
accept whatever certificate the server sends and continue as if it was fine.
Maybe it is fine. Maybe it isn't.

Skipping the check allows someone to insert themselves between curl and the
server (a so called Man In The Middle) and curl won't notice, since it doesn't
check the server's certificate.

The amount of evil someone can do in a MITM attack I think you can of just as
good as anyone else!

TLS certifciates are *free* these days (and please don't mention EV now).
There's no valid reason to not use one from a CA that is widely trusted. TLS
certificates are automatically renewed these days with scripts. There's no
valid reason to let a certificate expire.

You should only use -k / --insecure during testing and for very limited
purposes when you can be reasonably sure of the server using other means. You
should never leave the option in a production environment.

-- 
  / daniel.haxx.se
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2017-04-18