cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: "The Most Dangerous Code in the World"

From: Yehezkel Horowitz <horowity_at_checkpoint.com>
Date: Thu, 25 Oct 2012 09:53:38 +0200

>cURL is also mentioned in the FAQ at
>https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html

This is the quote from the FAQ
>Q: How do I use cURL securely?
>A: CURLOPT_SSL_VERIFYPEER must be set to TRUE, CURLOPT_SSL_VERIFYHOST must be left to its default value or set to 2. Anything >else, such as setting CURLOPT_SSL_VERIFYHOST to TRUE, will result in the SSL connection being insecure against a man-in-the-middle attacker.

The real answer should be - cURL defaults are secure - no need for any code to use it securely.
==================
In general I think the very short answer for this publication should be RTFM.

The little bit longer answer would be -
1. cURL is a C code library - you can't set a value to TRUE since this is not in the language syntax.
So you has somewhere in your includes something like "#define TRUE 1" - you must be aware to this issue - this is an important part of the relations between computers/compilers/programmers.

2. Before setting any option to cURL - you should read the very clear documentation about this option.
==================
As to what we can do to make cURL even better (in order to protect unprofessional users that don't know what they are doing), We could make '1' to act as '2' (verify peer identity), and add a special magic value (i.e. 27934) that will act as todays '1' (check for CN existence but don't verify it).

I think most of users do not intend to use '1' in the unsecure way, so most of them will be happy with this change of behavior.

What do you think?

Yehezkel

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-10-25