One year ago, searching for "CURLOPT_SSL_VERIFYPEER, 0” gave me 153k hits on GitHub and I blogged about the sorry state of TLS certificate verification in code.

@bagder Ah good point. Where I see hashes they tend to appear near the download link. I will need to be more careful in the future. Thanks for the warning!

@bagder Don't download places sometimes provide hash codes to prevent this? Though they are easily missed/skips as they are quite boring.

@bagder Is the risk that people using curl to download code, could be given malicious code instead?

I've disabled stuff like that while developing and servers locally. Also, employer intranet sites might sometimes need it off.