On Oct 28, 2012, at 2:10 PM, Philip Hazel <[email protected]> wrote:
>> ... Due to widespread misunderstanding of the API, many >> programs using libcurl have made this error: "setting >> CURLOPT_SSL_VERIFYHOST to TRUE, will result in the SSL connection >> being insecure against a man-in-the-middle attacker". Sounds harmless, >> right? > > The word "insecure" doesn't sound harmless to me! Sorry, what I meant is "setting CURLOPT_SSL_VERIFYHOST to TRUE" sounds harmless -- better verify the host, right? The consequence is disastrous, of course. By the way, libcurl is an excellent library, like PCRE. The problem is that the library was used incorrectly; and also that its API made incorrect usage too easy and non-obvious. Everyone makes mistakes. Best wishes, Tom 文林 Wenlin Institute, Inc. Software for Learning Chinese E-mail: [email protected] Web: http://www.wenlin.com Telephone: 1-877-4-WENLIN (1-877-493-6546) ☯ -- ## List details at https://lists.exim.org/mailman/listinfo/pcre-dev
