mirror/curl
2
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2024-12-09 06:30:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

docs: mention indirect effects of --insecure

Browse Source 
Warn users that disabling certficate verification allows servers to
"pollute" curl with data it trusts.

Reported-by: Harry Sintonen
Closes #10126
This commit is contained in:
Daniel Stenberg 2022-12-21 23:36:57 +01:00
parent 07dfbc08bf
commit ee583c68d4
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
3 changed files with 21 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
docs/cmdline-opts/insecure.d
View File

@ -26,3 +26,8 @@ For SFTP and SCP, this option makes curl skip the *known_hosts* verification.
".ssh" subdirectory, which contains host names and their public keys.
**WARNING**: using this option makes the transfer insecure.
When curl uses secure protocols it trusts responses and allows for example
HSTS and Alt-Svc information to be stored and used subsequently. Using
--insecure can make curl trust and use such information from malicious
servers.

11
docs/libcurl/opts/CURLOPT_SSL_VERIFYHOST.3
View File

@ -67,6 +67,17 @@ The default value for this option is 2.
This option controls checking the server's certificate's claimed identity.
The server could be lying. To control lying, see
\fICURLOPT_SSL_VERIFYPEER(3)\fP.
WARNING: disabling verification of the certificate allows bad guys to
man-in-the-middle the communication without you knowing it. Disabling
verification makes the communication insecure. Just having encryption on a
transfer is not enough as you cannot be sure that you are communicating with
the correct end-point.
When libcurl uses secure protocols it trusts responses and allows for example
HSTS and Alt-Svc information to be stored and used subsequently. Disabling
certificate verification can make libcurl trust and use such information from
malicious servers.
.SH LIMITATIONS
Secure Transport: If \fIverify\fP value is 0, then SNI is also disabled. SNI is
a TLS extension that sends the hostname to the server. The server may use that

5
docs/libcurl/opts/CURLOPT_SSL_VERIFYPEER.3
View File

@ -61,6 +61,11 @@ man-in-the-middle the communication without you knowing it. Disabling
verification makes the communication insecure. Just having encryption on a
transfer is not enough as you cannot be sure that you are communicating with
the correct end-point.
When libcurl uses secure protocols it trusts responses and allows for example
HSTS and Alt-Svc information to be stored and used subsequently. Disabling
certificate verification can make libcurl trust and use such information from
malicious servers.
.SH DEFAULT
By default, curl assumes a value of 1.
.SH PROTOCOLS