daniel:// stenberg://

1 year ago

daniel:// stenberg://
1 year ago

the #Apple #curl #security incident 12604 - or why CA cert verification is unreliable with curl on apple OS

daniel.haxx.se/blog/2024/03/08…

the Apple curl security incident 12604 | daniel.haxx.se

^{daniel.haxx.se}

in reply to daniel:// stenberg://

daniel:// stenberg://

in reply to daniel:// stenberg:// 1 year ago

if doing a tool working everywhere is not already hard enough, some vendors decide to actively work against us and sneakily add backdoor functionality so that curl does not work the same way on their platforms. So now our documentation is wrong. But only if you use the curl bundled by Apple with macOS. If you get curl with homebrew on the same machine, it will act as documented..

in reply to daniel:// stenberg://

rain 🌦️

in reply to daniel:// stenberg:// 1 year ago

this is the sort of thing that causes open source projects to get restrictive about trademarks...

in reply to daniel:// stenberg://

David

in reply to daniel:// stenberg:// 1 year ago

Always annoying when vendors prevent you doing an apples to apples comparison.

in reply to daniel:// stenberg://

Fingel

in reply to daniel:// stenberg:// 1 year ago

isn’t this the same thing with git? And python? Rule of thumb is never use the garbo that Apple ships with its os directly.

in reply to Fingel

daniel:// stenberg://

in reply to Fingel 1 year ago

@Fingel I wouldn't know, I don't use macOs myself anymore than I have to...

@Fingel

in reply to daniel:// stenberg://

Schamschula

in reply to daniel:// stenberg:// 1 year ago

Good to know! I generally build and install curl under #MacPorts with the gnutls variant. However, there is no variant that builds against Apple's flavor of LibreSSL. The default build may use the MacPorts version of LibreSSL, if installed in place of OpenSSL.

#macports

in reply to Schamschula

daniel:// stenberg://

in reply to Schamschula 1 year ago

@schamschula turns out to be very clever!

@Schamschula

in reply to daniel:// stenberg://

Nils Goroll 🕊️

in reply to daniel:// stenberg:// 1 year ago

daniel, i respect and admire you for your considerate and respectful behavior, but would it be appropriate to point out the potential of unintended #mitm interception more clearly in this case?
i mean, the title could also have been "apple does not want you to notice when you are being wiretapped", or do i miss any other precaution they took for this not to happen?

also, i find it shocking that i don't find this shocking any more… 🤯

#mitm

This entry was edited (1 year ago)

in reply to Nils Goroll 🕊️

daniel:// stenberg://

in reply to Nils Goroll 🕊️ 1 year ago

@slink it is not in my interests to be alarmist. I believe I describe the problems in the blog post.

@Nils Goroll 🕊️

in reply to daniel:// stenberg://

Nils Goroll 🕊️

in reply to daniel:// stenberg:// 1 year ago

you do indeed, thank you.

in reply to daniel:// stenberg://

Björn Stenberg

in reply to daniel:// stenberg:// 1 year ago

Minor clarification nitpick: It's not unreliable with "curl on an apple OS", it's unreliable with "apple's build of curl".

in reply to daniel:// stenberg://

manchicken moved!

in reply to daniel:// stenberg:// 1 year ago

holy crap, that’s a huge difference. Sometimes you use that flag for highly sensitive communication with mTLS.

in reply to daniel:// stenberg://

kalvdans

in reply to daniel:// stenberg:// 1 year ago

But did Apple also change the curl manpage to reflect their changes? If so there's no discrepancy between documentation and implementation.

This entry was edited (1 year ago)

in reply to kalvdans

daniel:// stenberg://

in reply to kalvdans 1 year ago

@kalvdans nope

@kalvdans

in reply to daniel:// stenberg://

Maximilian Hils

in reply to daniel:// stenberg:// 1 year ago

Do you happen to know if the fallback check is enforcing certificate transparency?

in reply to Maximilian Hils

daniel:// stenberg://

in reply to Maximilian Hils 1 year ago

@max I don't think anyone knows details about the check since the LibreSSL source code they use don't seem to be provided anywhere and Apple's brief comment about did not say a lot.

@Maximilian Hils

⇧

daniel:// stenberg://

daniel:// stenberg://

daniel:// stenberg://
1 year ago

the Apple curl security incident 12604 | daniel.haxx.se

daniel:// stenberg://

rain 🌦️

David

Fingel

daniel:// stenberg://

Schamschula

daniel:// stenberg://

Nils Goroll 🕊️

daniel:// stenberg://

Nils Goroll 🕊️

Björn Stenberg

manchicken moved!

kalvdans

daniel:// stenberg://

daniel:// stenberg://

Apple curl security incident 12604 | Hacker News

Jevin Sweval

Maximilian Hils

daniel:// stenberg://

daniel:// stenberg://

daniel:// stenberg:// 1 year ago • •

daniel:// stenberg://
1 year ago