Replies: 3 comments 10 replies
-
I insist that this problem is not curl's. curl does the transfer you ask it to do. If you want to do a secure transfer, use a secure and authenticated transfer mechanism such as HTTPS. Don't ask curl to do insecure transfers if you want secure. It is easy to always just use curl provides options to disable the use of a specific protocols, such as curl will not auto-enable HSTS for specific domain names. |
Beta Was this translation helpful? Give feedback.
-
I don't question curl doing what is asked of it. I question whether or not an URI with no scheme is asking for HTTP. Maybe there's some RFC somewhere that says it is. Or maybe it's just some outdated convention. I don't know. However, I believe the intent of preloading .dev into HSTS is that it should be HTTPS by default. But I guess even modifying the guess to prefer HTTPS when it sees a .dev TLD is objectionable, on the basis that it's just one entry in a vast database, and it's irregular and unpredictable to give it special handling. Certainly changing the default arbitrarily is bound to break stuff, and that's why we still have an insecure-by-default internet. Maybe it's worth enabling incremental changes to the default until maybe one day the internet is no longer that way, but I'm not going to push for it. I saw something, I said something. I did my part. |
Beta Was this translation helpful? Give feedback.
-
So here's a fun search to run on GitHub: But these ones get the gold star: |
Beta Was this translation helpful? Give feedback.
-
SSL stripping involves intercepting the initial HTTP connection which is supposed to redirect to the HTTPS site, and returning something which does not redirect to the expected HTTPS site, so subsequent transactions carry on in cleartext or carry on to the wrong server. It's a gaping hole that's supposed to be mitigated by HSTS preload, or by always specifying HTTPS in the URL.
I recently came across a site which had apparently golfed their curl-to-bash install command by removing
https://
and replacing it with-L
, seemingly leaving the operation wide open to MITM attacks.When curl sees an URI with no scheme it ends up using the
CURLU_GUESS_SCHEME
flag which will guesshttp
and nothttps
. It then attempts to get the file using that scheme and if the HTTP site is working correctly it'll get a redirect meaning that you need the-L
option to follow the redirect to the corresponding HTTPS site. If that initial HTTP request is intercepted then hilarity ensues.You can configure curl otherwise, but by default it makes insecure guesses.
Should there be an alternative to
CURLU_GUESS_SCHEME
which guesses only secure protocols? Should there be some means for site administrators to make that the default for the machines that they manage, at the cost of making people mad at them when scripts break?It might be reasonable to make it the default for .dev domains. Google established this as an HTTPS-only domain by putting all sites under it in the HSTS preload implicitly (although this says nothing about non-HTTP traffic).
But HSTS isn't enabled by default. And even if you enable it .dev isn't preloaded by default.
Should
.dev
TLDs be hard-coded with the HSTS upgrade by default? Even without enabling HSTS? If so, how would you use curl to test the redirect that should be present on port 80?Beta Was this translation helpful? Give feedback.
All reactions