--insecure

Discussion:

--insecure

Daniel Stenberg

2017-08-23 08:08:37 UTC

Hi friends,

On github alone, "curl --insecure" is used in source code at least 117,000
times. With a possible addition of about 196,000 instances where "curl -k" is
used.

Some of these use cases are probably totally legit, especially when you get
things from localhost or similar, but many of them should probably rather make
the connection to the self-signed server secure by using a cacert for it.

Is there anything we can do to reduce the use of insecure SSL connections done
by curl in the world?

Would adding a warning help? Here's a PR doing that:

https://github.com/curl/curl/pull/1821

--
/ daniel.haxx.se
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette

Gisle Vanem via curl-users

2017-08-23 10:33:58 UTC

Permalink

On github alone, "curl --insecure" is used in source code at least 117,000 times. With a possible addition of about
196,000 instances where "curl -k" is used.

You got these numbers from the Github logs?

Some of these use cases are probably totally legit, especially when you get things from localhost or similar, but many
of them should probably rather make the connection to the self-signed server secure by using a cacert for it.

On the other hand, after I enabled 2FA, I'm not able to get any content from
raw.githubusercontent.com now; always gives me a "404 Not Found".
Maybe this is related to 2FA. If so, this seems too strict.

I do have login/pass entries in my '%HOME%/_netrc' for raw.githubusercontent.com
and github.com. But only a 'curl --no-netrc' will give me the real content.
E.g.
curl https://raw.githubusercontent.com/nlohmann/json/v2.1.1/src/json.hpp (fail; 404)
curl --no-netrc https://raw.githubusercontent.com/nlohmann/json/v2.1.1/src/json.hpp (OK)

--
--gv
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-use

Benedikt Christoph Wolters

2017-08-23 11:47:13 UTC

Permalink

It think -k is more troubling as it hides the insecureness behind some
mysterious 'k' switch.
At the same time I am against removing '-k', because it would be a
huge change and break a lot of stuff (with little benefit).

Post by Gisle Vanem via curl-users
You got these numbers from the Github logs?

https://github.com/search?q=curl+--insecure&type=Code&utf8=%E2%9C%93

In fact -k seems to be more heavily in use.
https://github.com/search?q=curl+-k&type=Code&utf8=%E2%9C%93

I think a warning will certainly help. I wouldn't go beyond.

Qapla'!
Benedikt

Post by Gisle Vanem via curl-users

Post by Daniel Stenberg
On github alone, "curl --insecure" is used in source code at least 117,000
times. With a possible addition of about 196,000 instances where "curl -k"
is used.

You got these numbers from the Github logs?

Post by Daniel Stenberg
Some of these use cases are probably totally legit, especially when you
get things from localhost or similar, but many of them should probably
rather make the connection to the self-signed server secure by using a
cacert for it.

On the other hand, after I enabled 2FA, I'm not able to get any content from
raw.githubusercontent.com now; always gives me a "404 Not Found".
Maybe this is related to 2FA. If so, this seems too strict.
I do have login/pass entries in my '%HOME%/_netrc' for
raw.githubusercontent.com
and github.com. But only a 'curl --no-netrc' will give me the real content.
E.g.
curl https://raw.githubusercontent.com/nlohmann/json/v2.1.1/src/json.hpp (fail; 404)
curl --no-netrc
https://raw.githubusercontent.com/nlohmann/json/v2.1.1/src/json.hpp (OK)
--
--gv
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html

-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: ht