Hi friends,
The Most Dangerous Code in the World: Validating SSL Certificates in
Non-Browser Software" is a report from 6 authors I noticed today:
http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
Among many things it has the following charming remark about libcurl's API:
"This interface is almost perversely bad."
From what I understand, the single reason behind that statement is that we
have the CURLOPT_SSL_VERIFY HOST option which takes a three-value option and
not just a boolean. The authors found several source codes that treated it as
a boolean and set it to TRUE (== 1) and thus it doesn't check the certificate
properly.
So instead of posting a patch to us, instead of mailing us a suggestion,
instead of posting a bug report they write this document.
--
/ daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
