From ee583c68d4e426f3f6058e8f476229f961cf3dc0 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 21 Dec 2022 23:36:57 +0100 Subject: [PATCH] docs: mention indirect effects of --insecure Warn users that disabling certficate verification allows servers to "pollute" curl with data it trusts. Reported-by: Harry Sintonen Closes #10126 --- docs/cmdline-opts/insecure.d | 5 +++++ docs/libcurl/opts/CURLOPT_SSL_VERIFYHOST.3 | 11 +++++++++++ docs/libcurl/opts/CURLOPT_SSL_VERIFYPEER.3 | 5 +++++ 3 files changed, 21 insertions(+) diff --git a/docs/cmdline-opts/insecure.d b/docs/cmdline-opts/insecure.d index c75817efcc..122f2fcb66 100644 --- a/docs/cmdline-opts/insecure.d +++ b/docs/cmdline-opts/insecure.d @@ -26,3 +26,8 @@ For SFTP and SCP, this option makes curl skip the *known_hosts* verification. ".ssh" subdirectory, which contains host names and their public keys. **WARNING**: using this option makes the transfer insecure. + +When curl uses secure protocols it trusts responses and allows for example +HSTS and Alt-Svc information to be stored and used subsequently. Using +--insecure can make curl trust and use such information from malicious +servers. diff --git a/docs/libcurl/opts/CURLOPT_SSL_VERIFYHOST.3 b/docs/libcurl/opts/CURLOPT_SSL_VERIFYHOST.3 index 024661b436..5a00f51f30 100644 --- a/docs/libcurl/opts/CURLOPT_SSL_VERIFYHOST.3 +++ b/docs/libcurl/opts/CURLOPT_SSL_VERIFYHOST.3 @@ -67,6 +67,17 @@ The default value for this option is 2. This option controls checking the server's certificate's claimed identity. The server could be lying. To control lying, see \fICURLOPT_SSL_VERIFYPEER(3)\fP. + +WARNING: disabling verification of the certificate allows bad guys to +man-in-the-middle the communication without you knowing it. Disabling +verification makes the communication insecure. Just having encryption on a +transfer is not enough as you cannot be sure that you are communicating with +the correct end-point. + +When libcurl uses secure protocols it trusts responses and allows for example +HSTS and Alt-Svc information to be stored and used subsequently. Disabling +certificate verification can make libcurl trust and use such information from +malicious servers. .SH LIMITATIONS Secure Transport: If \fIverify\fP value is 0, then SNI is also disabled. SNI is a TLS extension that sends the hostname to the server. The server may use that diff --git a/docs/libcurl/opts/CURLOPT_SSL_VERIFYPEER.3 b/docs/libcurl/opts/CURLOPT_SSL_VERIFYPEER.3 index 7b643a2078..1f94e51a60 100644 --- a/docs/libcurl/opts/CURLOPT_SSL_VERIFYPEER.3 +++ b/docs/libcurl/opts/CURLOPT_SSL_VERIFYPEER.3 @@ -61,6 +61,11 @@ man-in-the-middle the communication without you knowing it. Disabling verification makes the communication insecure. Just having encryption on a transfer is not enough as you cannot be sure that you are communicating with the correct end-point. + +When libcurl uses secure protocols it trusts responses and allows for example +HSTS and Alt-Svc information to be stored and used subsequently. Disabling +certificate verification can make libcurl trust and use such information from +malicious servers. .SH DEFAULT By default, curl assumes a value of 1. .SH PROTOCOLS -- 2.47.3