cURL / Mailing Lists / curl-library / Single Mail


Re: "The Most Dangerous Code in the World"

From: Oscar Koeroo <>
Date: Thu, 25 Oct 2012 09:50:19 +0200

On 10/25/2012 07:16 AM, SM wrote:
> Hi Daniel,
> At 13:45 24-10-2012, Daniel Stenberg wrote:
>> The Most Dangerous Code in the World: Validating SSL Certificates in
>> Non-Browser Software" is a report from 6 authors I noticed today:
> cURL is also mentioned in the FAQ at
> Regards,
> -sm

Wow, I'm a bit amazed at this abstract and the libcurl comments in the
original paper of this topic. I've been creating OpenSSL based tools for
quite a while and I love libcurl for its set of strict default proper
checks when it comes to SSL.

If I take the easiest curl example and use an https:// URL, it will
actually do the right thing according to a bunch of RFCs and CAB/Forum

It starts to get fuzzy when developers are exposing the non-novice
options to the applications to make exceptions to the proper defaults.
Which would be equal to writing scripts with the "-k" option enabled.

Also the options which we're talking about are quite well documented.
Perhaps the options could be extended with a disclaimer pointing to the
following picture which I just had to create:



List admin:

Received on 2012-10-25