cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Changing to HTTPS

From: Richard Atterer <richard_at_2005.atterer.net>
Date: Wed, 11 May 2005 17:07:19 +0200

On Wed, May 11, 2005 at 05:46:42PM +0300, ext-venkatesh.hosur_at_nokia.com wrote:
> ii. In the client code the CURL option, CURLOPT_SSL_VERIFYPEER will be set to ZERO.
>
> Its assumed that the Server which is being connected is
> trustworthy. Only thing thats needed is the secure communication.
> So, by just doing the above two changes in teh code can we get a
> secure communicaiton ?

No, the communication will not be secure, a man-in-the-middle attack is
possible. Set CURLOPT_SSL_VERIFYPEER!=0 and CURLOPT_CAINFO. Don't just
pretend to be secure, BE secure!

Richard

-- 
  __   _
  |_) /|  Richard Atterer     |  GnuPG key:
  | \/�|  http://atterer.net  |  0x888354F7
  � '` �

Received on 2005-05-11

This message: [ Message body ]
Next message: man_at_tfhs.net: "Re: libcurl, squid proxy, failing multipart post"
Previous message: ext-venkatesh.hosur_at_nokia.com: "Changing to HTTPS"
In reply to: ext-venkatesh.hosur_at_nokia.com: "Changing to HTTPS"
Next in thread: Peter Davis: "libcurl for Borland"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]