cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: New to curl

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Thu, 20 Oct 2011 15:09:46 +0200 (CEST)

On Thu, 20 Oct 2011, Yingling, Todd wrote:

> Does curl encrypt the tunnel when it's used to transfer a message to a https
> site; even though, certificates are not being verified? Is the message
> secure?

curl speaks HTTPS then, so your question is really about how secure HTTPS
without using certificates?

First, HTTPS is HTTP over TLS (or SSL). TLS _always_ has a server certificate
involved that is presented by the server to the client.

The client MUST verify the server certificate against a CA cert bundle, to
know that you're in fact talking to the correct server. This verification can
be skipped, but then it makes the TLS connection insecure. But the connection
would still be encrypted and not possible to eavesdrop on.

Once the TLS connection has been negotiated, the data that goes over the
connection is as secure as you can get with this technology.

If the server also wants to be really sure that the client is who/what it
claims to be, then the server can insist on requiring a client certificate.

Did this answer the question?

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2011-10-20