{"uuid": "26561a4f-d892-4f81-a2d1-231d4980d359", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "name": "disabling cert checks: \"we have not learned much\" from @bagder@mastodon.social", "description": "<img src=\"https://daniel.haxx.se/blog/wp-content/uploads/2022/08/bad-mistakes-ahead.jpg\" width=\"100%\" />\n\nThe article \"Disabling cert checks: we have not learned much\" by Daniel Stenberg, published on February 11, 2025, discusses the persistent issue of developers disabling SSL/TLS certificate verification in applications, despite the security risks involved. Stenberg reflects on the history of SSL/TLS usage, emphasizing that since 2002, curl has verified server certificates by default to prevent man-in-the-middle attacks. He highlights common challenges that lead developers to disable certificate verification, such as development environment mismatches, outdated CA stores, or expired certificates. Despite efforts to educate and design APIs that encourage secure practices, the problem persists, indicating a need for continued emphasis on the importance of proper certificate verification in software development.\n\nA quick CVE search immediately reveals security vulnerabilities for exactly this problem published only last year:\n\n* CVE-2024-32928 \u2013 The libcurl CURLOPT_SSL_VERIFYPEER option was disabled on a subset of requests made by Nest production devices.\n* CVE-2024-56521 \u2013 An issue was discovered in TCPDF before 6.8.0. If libcurl is used, CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER are set unsafely.\n* CVE-2024-5261 \u2013 In affected versions of Collabora Online, in LibreOfficeKit, curl\u2019s TLS certificate verification was disabled (CURLOPT_SSL_VERIFYPEER of false).\n", "creation_timestamp": "2025-02-12T06:35:44.808978+00:00", "timestamp": "2025-02-12T07:00:09.866541+00:00", "related_vulnerabilities": ["CVE-2024-32928", "CVE-2024-56521", "CVE-2024-5261"], "meta": [{"ref": ["https://daniel.haxx.se/blog/2025/02/11/disabling-cert-checks-we-have-not-learned-much/", "https://mastodon.social/@bagder/113985850446646249"]}], "author": {"login": "cedric", "name": "C\u00e9dric Bonhomme", "uuid": "af0120d0-3dac-4a6a-974b-a9f33d2a9846"}}