Download
Browse source Changelog
Documentation
Project   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Etiquette
Development
Autobuilds Code Style Contribute Internals Release Notes Release Procedure Roadmap Run Tests Security Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-users / Single Mail

curl-users

Re: Deprecate unclear -k flag in favour of only using explicit --insecure

From: Rodrigo Zanatta Silva via curl-users <curl-users_at_cool.haxx.se>
Date: Mon, 17 Apr 2017 14:37:13 -0300

I really don't understand how an attacker can use the TLS certificates for
evil. All problems I have with it in real world was about this two options:

* The certificates expired because the site don't pay for it
* They buy a certificate from a company that for some reason are not
trusted.

What is the most common REAL problem we can find about it jungle? What evil
people are doing?

2017-04-09 19:58 GMT-03:00 Daniel Stenberg <daniel_at_haxx.se>:

> On Fri, 7 Apr 2017, VMnIgP5yDWURkomdpGjx via curl-users wrote:
>
> Deprecate the short "-k" option in favour of requiring the longer form
>> "--insecure".
>>
>
> We work *really* hard at not breaking compatibility/existing functionality
> and this is quite the opposite: breaking it on purpose.
>
> I'm not convinced that a lot of users of -k are likely to have done it by
> mistake and that forcing them to use --insecure will save large amounts. A
> few sure, but I think the majority of the ones who use it when they
> shouldn't, do it because they've copied an instruction from somewhere or
> run a script they didn't write themselves. And the mistake of using the
> option while testing and letting it slip into production feels like it is
> still as possible to happen as it hardly happens because of the option
> names but more about not changing the command lines when moving them.
>
> We could discuss adding a warning output, but I know from previous
> discussions that people feel strongly about even such annoyances. Not to
> mention how a warning like that risk causing a "fatique" that causes users
> get used to seeing the warning when -k is used for testing so users won't
> react anyway when the warning then appears where it shouldn't, in
> production.
>
>
> It would be interesting to know the prevalance in open-source software of
>> curl scripts using "-k" or "--insecure", like Google did for the Mad Gadget
>> vulnerability https://opensource.googleblog.
>> com/2017/03/operation-rosehub.html
>>
>
> Only that it isn't that straight-forward to actually figure out when -k /
> --insecure is used "wrongly" or not just based on scripts/command lines. At
> least it would require some sort of definition or classification that I
> haven't figured out how it would work, to make the outcome actually useful.
>
> --
>
> / daniel.haxx.se
>
> -----------------------------------------------------------
> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
> Etiquette: https://curl.haxx.se/mail/etiquette.html
>

-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-04-17