On 10/25/2012 07:16 AM, SM wrote:
> Hi Daniel,
> At 13:45 24-10-2012, Daniel Stenberg wrote:
>> The Most Dangerous Code in the World: Validating SSL Certificates in
>> Non-Browser Software" is a report from 6 authors I noticed today:
>>
>> http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
>
> cURL is also mentioned in the FAQ at
> https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html
>
> Regards,
> -sm

Wow, I'm a bit amazed at this abstract and the libcurl comments in the
original paper of this topic. I've been creating OpenSSL based tools for
quite a while and I love libcurl for its set of strict default proper
checks when it comes to SSL.

If I take the easiest curl example and use an https:// URL, it will
actually do the right thing according to a bunch of RFCs and CAB/Forum
specifications.

It starts to get fuzzy when developers are exposing the non-novice
options to the applications to make exceptions to the proper defaults.
Which would be equal to writing scripts with the "-k" option enabled.

Also the options which we're talking about are quite well documented.
Perhaps the options could be extended with a disclaimer pointing to the
following picture which I just had to create:

http://i.imgur.com/DHcd2.jpg

cheers,

     Oscar

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html