On Oct 28, 2012, at 2:10 PM, Philip Hazel <ph10@???> wrote:
>> ... Due to widespread misunderstanding of the API, many
>> programs using libcurl have made this error: "setting
>> CURLOPT_SSL_VERIFYHOST to TRUE, will result in the SSL connection
>> being insecure against a man-in-the-middle attacker". Sounds harmless,
>> right?
>
> The word "insecure" doesn't sound harmless to me!
Sorry, what I meant is "setting CURLOPT_SSL_VERIFYHOST to TRUE" sounds harmless -- better verify the host, right? The consequence is disastrous, of course.
By the way, libcurl is an excellent library, like PCRE. The problem is that the library was used incorrectly; and also that its API made incorrect usage too easy and non-obvious. Everyone makes mistakes.
Best wishes,
Tom
文林 Wenlin Institute, Inc. Software for Learning Chinese
E-mail: wenlin@??? Web: http://www.wenlin.com
Telephone: 1-877-4-WENLIN (1-877-493-6546)
☯
