curl-and-php
Re: "Regarding the recent flow of SSL security flaws"
Date: Mon, 2 Sep 2002 11:41:24 +0200 (MET DST)
On Mon, 2 Sep 2002, mixo wrote:
> I saw the heading
> "Regarding the recent flow of SSL security flaws" on the curl site, and I
> have not been able to connect to
> http://online.securityfocus.com/archive/1/286290/2002-07-31/2002-08-06/0
> with the IE advisory.
>
> Is there anywhere else where I can find this information?
I think it is the flaw mentioned for example in this article:
http://www.nwfusion.com/news/2002/0813ieflaw.html
... and the initial report later triggered advisories such as this
KDE-related one:
http://www.kde.org/info/security/advisory-20020818-1.txt
This is curl-related in this way:
curl does not do peer certificate verfication unless told so (by design and
intension). So if you don't use any flags or anything, the above is valid for
curl too.
However, if curl is told to verify the peer, it is not vulnerable for any
man-in-the-middle attacks AFAIK.
(The upcoming curl 7.10 will however try to verify the peer certifcate by
default.)
-- Daniel Stenberg -- curl related mails on curl related mailing lists please ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390Received on 2002-09-02