cURL / Mailing Lists / curl-library / Single Mail

curl-library

"The Most Dangerous Code in the World"

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 24 Oct 2012 22:45:17 +0200 (CEST)

Hi friends,

The Most Dangerous Code in the World: Validating SSL Certificates in
Non-Browser Software" is a report from 6 authors I noticed today:

http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

Among many things it has the following charming remark about libcurl's API:
"This interface is almost perversely bad."

From what I understand, the single reason behind that statement is that we
have the CURLOPT_SSL_VERIFY HOST option which takes a three-value option and
not just a boolean. The authors found several source codes that treated it as
a boolean and set it to TRUE (== 1) and thus it doesn't check the certificate
properly.

So instead of posting a patch to us, instead of mailing us a suggestion,
instead of posting a bug report they write this document.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Received on 2012-10-24

This message: [ Message body ]
Next message: Daniel Stenberg: "RE: Auth regression"
Previous message: Alessandro Ghedini: "PATCH: gnutls: fix the error_is_fatal logic once and for all, hopefully (was: lib/gtls.c question about handshake())"
Next in thread: Alessandro Ghedini: "Re: "The Most Dangerous Code in the World""
Reply: Alessandro Ghedini: "Re: "The Most Dangerous Code in the World""
Reply: SM: "Re: "The Most Dangerous Code in the World""
Reply: Jan Ehrhardt: "Re: "The Most Dangerous Code in the World""
Reply: Oscar Koeroo: "Re: "The Most Dangerous Code in the World""

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]