Skip to main content

the #Apple #curl #security incident 12604 - or why CA cert verification is unreliable with curl on apple OS

daniel.haxx.se/blog/2024/03/08…

the Apple curl security incident 12604 | daniel.haxx.se

daniel.haxx.se
#apple #security #curl
in reply to daniel:// stenberg://

daniel:// stenberg://
daniel:// stenberg://
if doing a tool working everywhere is not already hard enough, some vendors decide to actively work against us and sneakily add backdoor functionality so that curl does not work the same way on their platforms. So now our documentation is wrong. But only if you use the curl bundled by Apple with macOS. If you get curl with homebrew on the same machine, it will act as documented..
in reply to daniel:// stenberg://

rain 🌦️
rain 🌦️
this is the sort of thing that causes open source projects to get restrictive about trademarks...
in reply to daniel:// stenberg://

David
David
Always annoying when vendors prevent you doing an apples to apples comparison.
in reply to daniel:// stenberg://

Fingel
Fingel
isn’t this the same thing with git? And python? Rule of thumb is never use the garbo that Apple ships with its os directly.
in reply to Fingel

daniel:// stenberg://
daniel:// stenberg://
@Fingel I wouldn't know, I don't use macOs myself anymore than I have to...
@Fingel
in reply to daniel:// stenberg://

Schamschula
Schamschula
Good to know! I generally build and install curl under #MacPorts with the gnutls variant. However, there is no variant that builds against Apple's flavor of LibreSSL. The default build may use the MacPorts version of LibreSSL, if installed in place of OpenSSL.
#macports
in reply to daniel:// stenberg://

Nils Goroll 🕊️
Nils Goroll 🕊️

daniel, i respect and admire you for your considerate and respectful behavior, but would it be appropriate to point out the potential of unintended #mitm interception more clearly in this case?
i mean, the title could also have been "apple does not want you to notice when you are being wiretapped", or do i miss any other precaution they took for this not to happen?

also, i find it shocking that i don't find this shocking any more… 🤯

#mitm
This entry was edited (8 months ago)
in reply to Nils Goroll 🕊️

daniel:// stenberg://
daniel:// stenberg://
@slink it is not in my interests to be alarmist. I believe I describe the problems in the blog post.
@Nils Goroll 🕊️
in reply to daniel:// stenberg://

Björn Stenberg
Björn Stenberg
Minor clarification nitpick: It's not unreliable with "curl on an apple OS", it's unreliable with "apple's build of curl".
in reply to daniel:// stenberg://

manchicken moved!
manchicken moved!
holy crap, that’s a huge difference. Sometimes you use that flag for highly sensitive communication with mTLS.
in reply to daniel:// stenberg://

kalvdans
kalvdans
But did Apple also change the curl manpage to reflect their changes? If so there's no discrepancy between documentation and implementation.
This entry was edited (8 months ago)
in reply to daniel:// stenberg://

Jevin Sweval
Jevin Sweval
they should just put that “extended behavior” behind a new command line flag/environment variable.
in reply to daniel:// stenberg://

Maximilian Hils
Maximilian Hils
Do you happen to know if the fallback check is enforcing certificate transparency?
in reply to Maximilian Hils

daniel:// stenberg://
daniel:// stenberg://
@max I don't think anyone knows details about the check since the LibreSSL source code they use don't seem to be provided anywhere and Apple's brief comment about did not say a lot.
@Maximilian Hils