cURL / Mailing Lists / curl-library / Single Mail

curl-library

"The Most Dangerous Code in the World"

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 24 Oct 2012 22:45:17 +0200 (CEST)

Hi friends,

The Most Dangerous Code in the World: Validating SSL Certificates in
Non-Browser Software" is a report from 6 authors I noticed today:

   http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

Among many things it has the following charming remark about libcurl's API:
"This interface is almost perversely bad."

From what I understand, the single reason behind that statement is that we
have the CURLOPT_SSL_VERIFY HOST option which takes a three-value option and
not just a boolean. The authors found several source codes that treated it as
a boolean and set it to TRUE (== 1) and thus it doesn't check the certificate
properly.

So instead of posting a patch to us, instead of mailing us a suggestion,
instead of posting a bug report they write this document.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2012-10-24