Download
Browse source Changelog
Documentation
Project   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Book: Everything curl Report a bug Mail Etiquette
Development
Autobuilds Code Style Contribute Internals Release Notes Release Procedure Roadmap Run Tests Security Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-users / Single Mail

curl-users

Re: curl-users--insecure (Daniel Stenberg)

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 23 Aug 2017 15:28:57 +0200 (CEST)

On Wed, 23 Aug 2017, Timothe Litt wrote:

>> Would adding a warning help? Here's a PR doing that:

> I don't see how this helps. I know I specified --insecure - confirming it
> doesn't incent me to do otherwise.

I think a lot of people use -k pasted from somewhere without knowing what it
means - the stackoverflow effect. I also think that curl is used insecurely
from within lots of scripts without all users of these scripts knowing that,
and these users could now spot the warning.

This said, I actually don't think this little warning will change much as we
users are well trained since long at ignoring warnings - especially if
everything still seems to work fine.

> a) Encourage DANE (and support it in curl) - though whether curl support
> would drive adoption is open

That's a looong term vision. Not to mention how this then expects people to
put their self-signed certs into the DNS, which most certainly will always be
more complicated than just keep using --inscure...

We've had DANE mentioned in the TODO document for years and while we've seen
at least two efforts in making it reality, it is a big chunk of complicated
work. DANE is not exactly getting much love from the browser world so it's not
likely to be a real solution for HTTPS within the forseeable future.

> b) Take a leaf from ssh's book: add a simple mechanism for retrieving a
> server's certificate and adding it to a trust store.

That's indeed an interesting idea! That's a long list of issues to deal with
though, that are things that makes this much more complicated than the "easy"
case ssh has with known hosts.

In addition to that great list of challenges we also have

   * what TLS library backend is used
   * HTTPS proxy support (for some TLS backends)

I firmly agree that it would be really neat with a start at this that at least
helps the user more towards getting rid of the --insecure option. 

-- 
  / daniel.haxx.se
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2017-08-23