Source URL: https://daniel.haxx.se/blog/2025/02/11/disabling-cert-checks-we-have-not-learned-much/
Source: Hacker News
Title: Disabling cert checks: we have not learned much
Feedly Summary: Comments
AI Summary and Description: Yes
**Summary:** The text discusses the critical significance of certificate verification in SSL/TLS communication, particularly highlighting the history and evolution of the curl and libcurl libraries in handling SSL verification. It emphasizes the fundamental security risks associated with disabling certificate checks, the necessity for secure software practices, and various challenges and vulnerabilities related to SSL certificate handling.
**Detailed Description:**
The text provides a detailed exploration of the SSL/TLS verification process, focusing on the curl and libcurl libraries, which have been implemented to ensure that server certificates are verified by default to maintain secure communications. Here are the major points discussed:
– **Understanding SSL/TLS:**
– The author recounts their early experiences learning about SSL and how it led to the understanding of certificate verification’s importance.
– As of curl version 7.10 (released in 2002), server certificates are verified by default, aiming to enhance user security.
– **Certificate Verification Process:**
– The standard verification process involves ensuring that the server’s certificate is signed by a trusted certificate authority (CA) and that the certificate’s domain name matches the server being connected.
– An additional method mentioned is “certificate pinning,” which increases security but is considered more fragile.
– **Security Risks of Skipping Verification:**
– Skipping certificate validation exposes users to risks such as man-in-the-middle (MitM) attacks, where attackers could intercept and manipulate connections.
– The text enumerates several challenges that can lead to verification failures, including mismatched server names, active MitM interception without a trusted CA-signed certificate, outdated CA stores, expired certificates, or unsynchronized client clocks.
– **Libcurl API and Changes:**
– Describes the evolution and stability of the libcurl API, including adjustments made to improve security following criticisms from the developer community.
– Highlights the boolean options of CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST, which control certificate verification and are set to ‘TRUE’ and ‘2’ by default, respectively.
– **Current Issues and Vulnerabilities:**
– Despite over two decades of promoting secure defaults, the author reveals a concerning trend where many repositories still disable certificate verification.
– Points to recent CVEs associated with improper handling of SSL certificate verification in various applications, indicating that this remains a prevalent security vulnerability.
– **Call to Action:**
– The author strongly advocates for continuous education on the importance of certificate verification and encourages developers to promote best practices through extensive documentation and proactive engagement in addressing the issues present in existing codebases.
– Suggests a collective responsibility within the developer community to report and correct instances of disabled SSL checks.
This text has significant implications for security and compliance professionals, emphasizing the ongoing importance of maintaining high-security standards in software development, particularly concerning SSL/TLS communications. It serves as a critical reminder of the potential vulnerabilities that can arise from neglecting fundamental security measures and reinforces the need for vigilance in software practices surrounding encryption.