Techly NewsGet the app

Get the latest tech news

Disabling cert checks: we have not learned much


And by that I mean the global "we" as in the world of developers. In the beginning there was SSL When I first learned about SSL and how to use it in the mid to late 1990s, it took me a while to realize and understand the critical importance of having the client verifying the … Continue reading disabling cert checks: we have not learned much →

If you have an active middle man intercepting and wanting to snoop on the TLS traffic, it needs to provide a different certificate and unless that can get signed by a CA you trust, the verification fails. Ten years later, in October 2012, there was a paper published called The most dangerous code in the world, in which the authors insisted that the widespread problem of applications not verifying TLS certificates with libcurl was because This interface is almost perversely bad. After that most dangerous article was posted in 2012 that basically said we were worthless, without ever telling that to us or submitting an issue or pull-request with us, we changed how CURLOPT_SSL_VERIFYHOST worked in the 7.28.1 release – shipped in December 2012.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of cert checks

cert checks

« Apple Arcade Adding Two New Games in March
Meta Starts Eliminating Jobs in Shift To Find AI Talent »