Are you interested in helping out to make a Network.framework SSL backend for #curl?

The Secure Transport one is going away and this could be a new way to use the native Apple system.

But code does not write itself. There is an embryo started, but it needs love.

github.com/curl/curl/pull/1750…

lib: add Network.framework SSL backend by conradev · Pull Request #17506 · curl/curl

Hi everyone! I started working on a Network.framework backend for curl a bit ago. I had a few motivations for writing this: Wanting to use curl with system SSL without compiling anything on iOS/wa...

^GitHub

Referring sites for visitors to #curl's GitHub repository over the last 14 days.

Interesting I think.

The #curl bug-bounty has paid 91,900 USD in reward money

For 80 confirmed security problems.

FTP is quite unique in the #curl collection of protocols due to its (weird) mandatory use of a separate TCP connection for the data transfer (and the fact that it can be setup in either direction, client to server or server to client) . It is complicated for users, for sysadmins and it is a complication in source code and internal curl TCP management as well.

So yeah, it also keeps causing us headaches to this day.

Circa five years ago the browsers dropped FTP support.

#curl still supports it. In 2024, 23% of curl users said they used FTP within the past two years.

My post from April 2020:

daniel.haxx.se/blog/2020/04/15…

curl is not removing FTP

FTP is going out of style. The Chrome team has previously announced that they are deprecating and removing support for FTP. Mozilla also announced their plan for the deprecation of FTP in Firefox.

^{daniel.haxx.se}

Decomplexification - making #curl use simpler code

daniel.haxx.se/blog/2025/05/29…

Decomplexification

(Clearly a much better word than simplification.) I believe we generally accept the truth that we should write simple and easy to read code in order to make it harder to create bugs and cause security problems.

^{daniel.haxx.se}

How to build #curl against Apple's LibreSSL:

github.com/jeroen/apple-libres…

GitHub - jeroen/apple-libressl-sdk: Missing sdk files to link to LibreSSL and nghttp2 on MacOS

Missing sdk files to link to LibreSSL and nghttp2 on MacOS - GitHub - jeroen/apple-libressl-sdk: Missing sdk files to link to LibreSSL and nghttp2 on MacOS

^GitHub

891 persons have already responded to the #curl survey 2025. If you have not, please consider donating a few minutes of your time and help us out!

daniel.haxx.se/blog/2025/05/19…

The curl user survey 2025 is up

Yes! curl user survey 2025 The time has come for you to once again do your curl community duty. Run over and fill in the curl user survey and tell us about how you use curl etc.

^{daniel.haxx.se}

How can #OpenSource and #security be interconnected?
What will be the future of funding the open source-dependent public digital infrastructure?

These and many other questions will guide the discussion of our panelists:
🔸@bagder from #cURL
🔸@melanierieback from @ros
🔸Matteo Mole from @EuropeanCyber SecurityOrganisation
🔸Nicholas Gates from @OpenForumEurope
🔸Mirko Boehm from #TheLinuxFoundation

Join the webinar : europeanopensource.academy/for…

Starting a #curl release presentation on twitch right now:

twitch.tv/curlhacker

curlhacker - Twitch

curl up 2025 day two

^Twitch

The two #curl CVEs we publish today are both rated medium and affect QUIC connections when curl is built to use wolfSSL

Hiroki Kurosawa reported both and he is rewarded 2540 USD for each from the curl bug-bounty.

With these two, the total bug-bounty payout from #curl now exceeds 90,000 USD over the last few years.

curl.se/docs/bugbounty.html

(thanks to IBB for sponsoring our bug-bounty program!)

#curl 8.14.0 is here with new stuff, bugfixes and two security advisories.

Live-streamed presentation at 08:00 UTC today.

daniel.haxx.se/blog/2025/05/28…

curl 8.14.0

Welcome to another curl release. Release presentation At 8:00 UTC (10:00 CEST), I do a live-streamed release presentation over at Twitch where I talk about all that is new in this release.

^{daniel.haxx.se}

I chatted with @bagder about #Curl and the recent #AI happenings

It's always fun talking to Daniel, and I think there's a lot of good ideas in this one, especially on how to approach AI fueled contributions that aren't slop. And even suggestions on how to deal with slop contributions :)

opensourcesecurity.io/2025/202…

Curl vs AI with Daniel Stenberg

Daniel Stenberg, the maintainer of Curl, discusses the increase in AI security reports that are wasting the time of maintainers. We discuss Curl’s new policy of banning the bad actors while establishing some pretty sane AI usage guidelines.

^{Josh Bressers (Open Source Security)}

Reminder: this is how I make #curl releases:

youtu.be/7UQgcSWkSYw?si=9dTFLa…

How to do a curl release - with Daniel Stenberg

Daniel makes the curl 8.12.0 release. Shows how a curl release is done. This is the 264th curl release. Shows the scripts, the procedures and the general pro...

^YouTube

Starting with #curl 8.14.0 coming on Wednesday May 28, the wcurl script comes bundled and gets installed on "make install".

curl.se/wcurl/

I'll be at the OpenInfra Forum tomorrow in Stockholm city and blab. About #curl. I'll bring stickers.

meetup.com/openinfra-user-grou…

OpenInfra Forum #19! 10 year anniversary! 139/150 currently attending.

**Update: För att kunna leverera mat och dryck så är registreringen nu tyvärr stängd. Varmt välkomna alla ni 139 som registrerat er och ser fram emot att s

^Meetup

A year ago I explained how #curl came to get the colon-slash-slash logo

daniel.haxx.se/blog/2024/05/21…

A history of a logo with a colon and two slashes

In the 2015 time frame I had come to the conclusion that the curl logo could use modernization and I was toying with ideas of how it could be changed. The original had served us well, but it definitely had a 1990s era feel to it.

^{daniel.haxx.se}

One week from the pending next #curl release, I uploaded the final release candidate, rc3 to curl.se/rc/

Please consider taking this for a spin and verify that everything seems to work as they should.

Thanks for flying curl.

I ran a quick SFTP performance test with #curl built to use #libssh 0.11.1 vs one built that uses #libssh2 1.11.1 over a 400ms latency connection.

One of them managed to perform this at 1049K/sec, the other reached only 249K/sec.

And the winner is...

libssh2

Funny detail: I sped it up for this kind of use case **fifteen years ago** and blogged about it: daniel.haxx.se/blog/2010/12/08…

Making SFTP transfers fast

SFTP, the SSH File Transfer Protocol, is a misleading name. It gives you the impression that it might be something like a secure version of FTP, perhaps something like FTPS but modeled over SSH instead of SSL.

^{daniel.haxx.se}

Happy #curl inspired Swisscom to add a "disclose your use of AI" to their bug-bounty program:

github.com/swisscom/bugbounty?…

Google go home, you are drunk

#curl

The #curl user survey 2025 is up. Please donate a few minutes of your time and tell us about your view and use of curl.

daniel.haxx.se/blog/2025/05/19…

The curl user survey 2025 is up

Yes! curl user survey 2025 The time has come for you to once again do your curl community duty. Run over and fill in the curl user survey and tell us about how you use curl etc.

^{daniel.haxx.se}

I'll show this slide on Thursday when I talk #curl in Stockholm

meetup.com/openinfra-user-grou…

@bagder Essentially, #curl commit 0ae0abbe72514a75c10bfc4108d9f254f594c086 broke updating #HardenedBSD packages for certain users who use HardenedBSD behind a fully Tor-ified network (a network that uses transparent Tor proxying).

Those users were unable to update their HardenedBSD systems since the package manager uses libcurl behind-the-scenes. Some of these users live in malicious environments (malicious to human life), with actively-exploited applications.

So, this prohibition had a real negative impact, putting our users in harm's way.

If curl had a way to bypass the prohibition, we would've been able to keep our users safe.

This is why I mention #Radicle: they, too, do not support the .onion TLD by default, but can be configured to provide that support.

Radicle has three options:

1. Default: No support, .onion domain lookups will fail.
2. SOCKS support where .onion lookups succeed.
3. Explicit transparent proxying support, so .onion lookups succeed

curl is missing that third option.

I wonder if #curl could follow the wonderful example from the #Radicle project on how to properly support #Tor onion service endpoints.

daniel.haxx.se/blog/2025/05/16…

#TorProject #libcurl #HumanRights

Leeks and leaks

On the completely impossible situation of blocking the Tor .onion TLD to avoid leaks, but at the same time not block it to make users able to do what they want.

^{daniel.haxx.se}

Detecting malicious Unicode in #curl

daniel.haxx.se/blog/2025/05/16…

Detecting malicious Unicode

In a recent educational trick, curl contributor James Fuller submitted a pull-request to the project in which he suggested a larger cleanup of a set of scripts.

^{daniel.haxx.se}