One year ago, searching for "CURLOPT_SSL_VERIFYPEER, 0” gave me 153k hits on GitHub and I blogged about the sorry state of TLS certificate verification in code.
-
@seaborgium1234 correct. Without verifying the certificate, the client cannot tell if there is a MITM attack or if the site is an impostor due to a DNS attack or similar.
It basically disables the security HTTPS otherwise provides.
@bagder Don't download places sometimes provide hash codes to prevent this? Though they are easily missed/skips as they are quite boring.
-
@bagder Don't download places sometimes provide hash codes to prevent this? Though they are easily missed/skips as they are quite boring.
@bagder @seaborgium1234 I mean, if I MITM the payload, I can just as easily provide the corresponding hash
-
@bagder @seaborgium1234 I mean, if I MITM the payload, I can just as easily provide the corresponding hash
@brahms @seaborgium1234 exactly. So sure, if you get the hash from a truly separate and independent source that could work. That's just rarely what's done with hashes.
Digital signatures is typically preferred for integrity checks because of the separate infra used for those.
-
One year ago, searching for "CURLOPT_SSL_VERIFYPEER, 0” gave me 153k hits on GitHub and I blogged about the sorry state of TLS certificate verification in code. (as every hit indicates code that probably disables verification)
Now? 181k hits. 20% more one year later.
The blog post from last year:
disabling cert checks: we have not learned much
And by that I mean the global "we" as in the world of developers. In the beginning there was SSL When I first learned about SSL and how to use it in the mid to late 1990s, it took me a while to realize and understand the critical importance of having the client verifying the … Continue reading disabling cert checks: we have not learned much →
daniel.haxx.se (daniel.haxx.se)
@bagder Sad. 20% is a lot.
Then again, Microsoft writing an RCE into Notepad app is hard to beat.
-
One year ago, searching for "CURLOPT_SSL_VERIFYPEER, 0” gave me 153k hits on GitHub and I blogged about the sorry state of TLS certificate verification in code. (as every hit indicates code that probably disables verification)
Now? 181k hits. 20% more one year later.
The blog post from last year:
disabling cert checks: we have not learned much
And by that I mean the global "we" as in the world of developers. In the beginning there was SSL When I first learned about SSL and how to use it in the mid to late 1990s, it took me a while to realize and understand the critical importance of having the client verifying the … Continue reading disabling cert checks: we have not learned much →
daniel.haxx.se (daniel.haxx.se)
@bagder Maybe the real verified peers were the friends we made along the way
-
One year ago, searching for "CURLOPT_SSL_VERIFYPEER, 0” gave me 153k hits on GitHub and I blogged about the sorry state of TLS certificate verification in code. (as every hit indicates code that probably disables verification)
Now? 181k hits. 20% more one year later.
The blog post from last year:
disabling cert checks: we have not learned much
And by that I mean the global "we" as in the world of developers. In the beginning there was SSL When I first learned about SSL and how to use it in the mid to late 1990s, it took me a while to realize and understand the critical importance of having the client verifying the … Continue reading disabling cert checks: we have not learned much →
daniel.haxx.se (daniel.haxx.se)
@bagder the number is sure to increase as long as people do this and we neglect the existing code that disappears. So, to properly understand this number, we must see it in relation to the amount of newly added code and how they related in the past.
-
@brahms @seaborgium1234 exactly. So sure, if you get the hash from a truly separate and independent source that could work. That's just rarely what's done with hashes.
Digital signatures is typically preferred for integrity checks because of the separate infra used for those.
@bagder Ah good point. Where I see hashes they tend to appear near the download link.
I will need to be more careful in the future. Thanks for the warning! -
One year ago, searching for "CURLOPT_SSL_VERIFYPEER, 0” gave me 153k hits on GitHub and I blogged about the sorry state of TLS certificate verification in code. (as every hit indicates code that probably disables verification)
Now? 181k hits. 20% more one year later.
The blog post from last year:
disabling cert checks: we have not learned much
And by that I mean the global "we" as in the world of developers. In the beginning there was SSL When I first learned about SSL and how to use it in the mid to late 1990s, it took me a while to realize and understand the critical importance of having the client verifying the … Continue reading disabling cert checks: we have not learned much →
daniel.haxx.se (daniel.haxx.se)
@bagder The main reason to disable this is to work with intranet hosts, where setting up TLS is a major hassle (and browsers enforcing it is becoming a big hindrance).
For connecting to the public internet, it doesn't make much sense.
Your post prompted a checkbox setting in our software (which often connect to TLS-enabled hosts through IP addresses or non-default interfaces with different DNS names, but sometimes do need to verify the host name and certificate)
-
One year ago, searching for "CURLOPT_SSL_VERIFYPEER, 0” gave me 153k hits on GitHub and I blogged about the sorry state of TLS certificate verification in code. (as every hit indicates code that probably disables verification)
Now? 181k hits. 20% more one year later.
The blog post from last year:
disabling cert checks: we have not learned much
And by that I mean the global "we" as in the world of developers. In the beginning there was SSL When I first learned about SSL and how to use it in the mid to late 1990s, it took me a while to realize and understand the critical importance of having the client verifying the … Continue reading disabling cert checks: we have not learned much →
daniel.haxx.se (daniel.haxx.se)
@bagder Is there any good way to avoid this with embedded devices?
We build and sell those, and we don't know in advance what the DNS name or the IP address at the installation site will be. And quite frankly, most customers don't bother rolling out proper certificates even in production.
So we ship the device with a demo certificate, and all our SDK libraries have the option to disable certificate verification. Unverified TLS is still better than plain HTTP because it prevents passive snooping.
-
@bagder Is there any good way to avoid this with embedded devices?
We build and sell those, and we don't know in advance what the DNS name or the IP address at the installation site will be. And quite frankly, most customers don't bother rolling out proper certificates even in production.
So we ship the device with a demo certificate, and all our SDK libraries have the option to disable certificate verification. Unverified TLS is still better than plain HTTP because it prevents passive snooping.
@inguin a popular way is to instead do cert pinning, but that comes with some other challenges.
-
@tante might very well be as there is a lot of such code to "get inspired by" ...
-
One year ago, searching for "CURLOPT_SSL_VERIFYPEER, 0” gave me 153k hits on GitHub and I blogged about the sorry state of TLS certificate verification in code. (as every hit indicates code that probably disables verification)
Now? 181k hits. 20% more one year later.
The blog post from last year:
disabling cert checks: we have not learned much
And by that I mean the global "we" as in the world of developers. In the beginning there was SSL When I first learned about SSL and how to use it in the mid to late 1990s, it took me a while to realize and understand the critical importance of having the client verifying the … Continue reading disabling cert checks: we have not learned much →
daniel.haxx.se (daniel.haxx.se)
@bagder I make verify peers enabled by default, but optional to disable it, in my audio player, because I can't exactly easily grant people the ability to add random certificates for their internet radio streams, which may not even be TLS protected in the first place, so this setting doesn't affect them in that case.
-
@bagder Is there any good way to avoid this with embedded devices?
We build and sell those, and we don't know in advance what the DNS name or the IP address at the installation site will be. And quite frankly, most customers don't bother rolling out proper certificates even in production.
So we ship the device with a demo certificate, and all our SDK libraries have the option to disable certificate verification. Unverified TLS is still better than plain HTTP because it prevents passive snooping.
-
R relay@relay.infosec.exchange shared this topic
