On 10/25/2012 07:16 AM, SM wrote:
Hi Daniel, At 13:45 24-10-2012, Daniel Stenberg wrote:The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software" is a report from 6 authors I noticed today:http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdfcURL is also mentioned in the FAQ at https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html Regards, -sm
Wow, I'm a bit amazed at this abstract and the libcurl comments in the original paper of this topic. I've been creating OpenSSL based tools for quite a while and I love libcurl for its set of strict default proper checks when it comes to SSL.
If I take the easiest curl example and use an https:// URL, it will actually do the right thing according to a bunch of RFCs and CAB/Forum specifications.
It starts to get fuzzy when developers are exposing the non-novice options to the applications to make exceptions to the proper defaults. Which would be equal to writing scripts with the "-k" option enabled.
Also the options which we're talking about are quite well documented. Perhaps the options could be extended with a disclaimer pointing to the following picture which I just had to create:
http://i.imgur.com/DHcd2.jpg cheers, Oscar
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
