Conversation

Notices

1. Embed this notice
   daniel:// stenberg:// (bagder@mastodon.social)'s status on Saturday, 08-Mar-2025 21:04:10 JST daniel:// stenberg://

   Remember: when you run #curl shipped by Apple with the --cacert flag it won't behave like #curl does everywhere else. As I wrote about last year. I think they're doing it wrong. They think its fine.

   https://daniel.haxx.se/blog/2024/03/08/the-apple-curl-security-incident-12604/

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Saturday, 08-Mar-2025 21:08:19 JST Rich Felker

     in reply to

     @bagder A TL;DR for the vuln/backdoor that should make the severity clear to readers:

     Apple's build of curl has silently disabled CA pinning support and allows any certificate signed by a CA the system trusts to be used where the application expected only to accept one explicitly trusted by the application author or user.

   • Embed this notice
     Howard Chu @ Symas (hyc@mastodon.social)'s status on Saturday, 08-Mar-2025 21:38:04 JST Howard Chu @ Symas

     in reply to

     • Rich Felker

     @dalias @bagder this is why the entire notion of system-wide trust stores is so ludicrous. It comes from the mindset of web browser developers only, who want their client to be able to talk to any server without hassles. But for any other client-server application, you only want a specific set of clients talking to a specific set of servers, and therefore should have app-specific trust config. Esp if using cert-based client authent, you only want to trust one specific issuing CA.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Saturday, 08-Mar-2025 21:46:36 JST Rich Felker

     in reply to

     • Howard Chu @ Symas

     @hyc @bagder On the bright side: it means as the owner you can MITM reverse engineer any application running on your Apple that doesn't go out of its way to bypass the system facilities. 🙃