daniel:// stenberg://

7 months ago

daniel:// stenberg://
7 months ago

lemme show you 140,000 (!) places in code where certificate verification is switched off when using libcurl: github.com/search?q=CURLOPT_SS…

GitHub

GitHub is where people build software. More than 150 million people use GitHub to discover, fork, and contribute to over 420 million projects.

^GitHub

daniel:// stenberg:// reshared this.

in reply to daniel:// stenberg://

Buccia

in reply to daniel:// stenberg:// 7 months ago

Chinese instances are due to many chinese networks doing MiTM so instead of flooding the user with errors, they just disable certificate verification altogether.

in reply to daniel:// stenberg://

Ret

in reply to daniel:// stenberg:// 7 months ago

wait until you find out Amazon Application Load Balancers don't validate server certificates.

Edit: CloudFront does

Target groups for your Application Load Balancers - Elastic Load Balancing

Learn how to configure target groups for your Application Load Balancer.

^{docs.aws.amazon.com}

This entry was edited (7 months ago)

in reply to daniel:// stenberg://

mittorn

in reply to daniel:// stenberg:// 7 months ago

And i cannot sign in because of 2fa enforcement...

in reply to daniel:// stenberg://

Fritz Adalis

in reply to daniel:// stenberg:// 7 months ago

@infosecdj
_THIS_ is why we can't have nice things.

@DJ🌞

in reply to daniel:// stenberg://

Mike Taylor 🦕

in reply to daniel:// stenberg:// 7 months ago

What on earth is going on here? libcurl surely can't actually have 140,000 source files.

in reply to Mike Taylor 🦕

daniel:// stenberg://

in reply to Mike Taylor 🦕 7 months ago

@mike users of libcurl

@Mike Taylor 🦕

in reply to daniel:// stenberg://

Mike Taylor 🦕

in reply to daniel:// stenberg:// 7 months ago

Ohhhh, I see. (I mean, still astonishing, but not quite THAT astonishing!)

in reply to Mike Taylor 🦕

daniel:// stenberg://

in reply to Mike Taylor 🦕 6 months ago

@mike 140,000 apps doing insecure TLS *should* be astonishing I think ...

@Mike Taylor 🦕

in reply to daniel:// stenberg://

jan Anja();

in reply to daniel:// stenberg:// 6 months ago

@mike code search includes all forks, so the number should be much less after deduplication

@Mike Taylor 🦕

in reply to jan Anja();

daniel:// stenberg://

in reply to jan Anja(); 6 months ago

@cybertailor @mike sure, but that search also does not find all the relevant occurrences because of other ways to write the code and other languages, so it simultaneously is also much higher

@Mike Taylor 🦕 @jan Anja();

in reply to daniel:// stenberg://

Mike Taylor 🦕

in reply to daniel:// stenberg:// 6 months ago

@cybertailor (I always love when the result of counting something is of the form "140,000, or less, or more" 🙂)

@jan Anja();

in reply to daniel:// stenberg://

Mike Taylor 🦕

in reply to daniel:// stenberg:// 6 months ago

It IS astonishing. Just not quite AS astonishing as libcurl having more than 140,000 source files, which is how I initially misread this.

in reply to daniel:// stenberg://

Ron Bowes

in reply to daniel:// stenberg:// 7 months ago

We're gonna run outta CVEs!

in reply to daniel:// stenberg://

Alessandro Lai

in reply to daniel:// stenberg:// 7 months ago

let's hope it's just for running test locally without having the hassle of setting up self-signed certificates...

in reply to daniel:// stenberg://

Quince Pie

in reply to daniel:// stenberg:// 6 months ago

I imagined the number to be much smaller in code tbh. Some portion might be related to one of the reasons people turn it off on cli too maybe?
If you google most cert error messages many stackoverflow top answers are "use this flag that i didn't explain what it does but it will make it work"

in reply to daniel:// stenberg://

Annika Backstrom

in reply to daniel:// stenberg:// 6 months ago

This is maybe my favourite, where a curl wrapper explains how to turn peer verification off under the heading "SSL verification setup":

github.com/php-mod/curl#:~:tex…

GitHub - php-mod/curl: This library provides an object-oriented and dependency free wrapper of the PHP cURL extension.

This library provides an object-oriented and dependency free wrapper of the PHP cURL extension. - php-mod/curl

^GitHub

This entry was edited (6 months ago)

in reply to Annika Backstrom

daniel:// stenberg://

in reply to Annika Backstrom 6 months ago

@annika 😱

@Annika Backstrom

in reply to daniel:// stenberg://

daniel:// stenberg://

in reply to daniel:// stenberg:// 6 months ago

@annika github.com/php-mod/curl/issues…

Misleading TLS verification instructions · Issue #108 · php-mod/curl

The README currently says: SSL verification setup: $curl = new Curl\Curl(); $curl->setOpt(CURLOPT_RETURNTRANSFER, TRUE); $curl->setOpt(CURLOPT_SSL_VERIFYPEER, FALSE); $curl->get('https://encrypted....

^GitHub

@Annika Backstrom

in reply to daniel:// stenberg://

Annika Backstrom

in reply to daniel:// stenberg:// 6 months ago

👏

in reply to daniel:// stenberg://

Aljoscha Rittner (beandev)

in reply to daniel:// stenberg:// 6 months ago

Rename the option in the next release. 😈

in reply to daniel:// stenberg://

rails

in reply to daniel:// stenberg:// 6 months ago

Well, maybe it is time to deprecate and remove the option. Learning by pain for a better world. At least it will be funny to see how half the internet breaks and all the IT people running around, waving hands and swearing. 😂

in reply to daniel:// stenberg://

haerench

in reply to daniel:// stenberg:// 6 months ago

Certainly 140k occurrences is good enough for AI to label this as good code/practice and suggest it in new code ...

⇧

daniel:// stenberg:// 7 months ago • •

daniel:// stenberg://
7 months ago