Created on 2025-02-12 06:35 and updated on 2025-02-12 07:00.
Description
The article "Disabling cert checks: we have not learned much" by Daniel Stenberg, published on February 11, 2025, discusses the persistent issue of developers disabling SSL/TLS certificate verification in applications, despite the security risks involved. Stenberg reflects on the history of SSL/TLS usage, emphasizing that since 2002, curl has verified server certificates by default to prevent man-in-the-middle attacks. He highlights common challenges that lead developers to disable certificate verification, such as development environment mismatches, outdated CA stores, or expired certificates. Despite efforts to educate and design APIs that encourage secure practices, the problem persists, indicating a need for continued emphasis on the importance of proper certificate verification in software development.
A quick CVE search immediately reveals security vulnerabilities for exactly this problem published only last year:
- CVE-2024-32928 – The libcurl CURLOPT_SSL_VERIFYPEER option was disabled on a subset of requests made by Nest production devices.
- CVE-2024-56521 – An issue was discovered in TCPDF before 6.8.0. If libcurl is used, CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER are set unsafely.
- CVE-2024-5261 – In affected versions of Collabora Online, in LibreOfficeKit, curl’s TLS certificate verification was disabled (CURLOPT_SSL_VERIFYPEER of false).
Vulnerabilities included in this bundle
Meta
[ { ref: [ "https://daniel.haxx.se/blog/2025/02/11/disabling-cert-checks-we-have-not-learned-much/", "https://mastodon.social/@bagder/113985850446646249", ], }, ]
Author
Cédric BonhommeCombined sightings
| Author | Vulnerability | Source | Type | Date |
|---|