curl / Mailing Lists / curl-users / Single Mail


Re: curl-users--insecure (Daniel Stenberg)

From: Daniel Stenberg <>
Date: Wed, 23 Aug 2017 15:28:57 +0200 (CEST)

On Wed, 23 Aug 2017, Timothe Litt wrote:

>> Would adding a warning help? Here's a PR doing that:

> I don't see how this helps. I know I specified --insecure - confirming it
> doesn't incent me to do otherwise.

I think a lot of people use -k pasted from somewhere without knowing what it
means - the stackoverflow effect. I also think that curl is used insecurely
from within lots of scripts without all users of these scripts knowing that,
and these users could now spot the warning.

This said, I actually don't think this little warning will change much as we
users are well trained since long at ignoring warnings - especially if
everything still seems to work fine.

> a) Encourage DANE (and support it in curl) - though whether curl support
> would drive adoption is open

That's a looong term vision. Not to mention how this then expects people to
put their self-signed certs into the DNS, which most certainly will always be
more complicated than just keep using --inscure...

We've had DANE mentioned in the TODO document for years and while we've seen
at least two efforts in making it reality, it is a big chunk of complicated
work. DANE is not exactly getting much love from the browser world so it's not
likely to be a real solution for HTTPS within the forseeable future.

> b) Take a leaf from ssh's book: add a simple mechanism for retrieving a
> server's certificate and adding it to a trust store.

That's indeed an interesting idea! That's a long list of issues to deal with
though, that are things that makes this much more complicated than the "easy"
case ssh has with known hosts.

In addition to that great list of challenges we also have

   * what TLS library backend is used
   * HTTPS proxy support (for some TLS backends)

I firmly agree that it would be really neat with a start at this that at least
helps the user more towards getting rid of the --insecure option.

Received on 2017-08-23