cURL in Thousands of Plugins SSL TLS Certificate Verification is Disabled!

cURL in Thousands of Plugins SSL TLS Certificate Verification is Disabled!

Libraries, framework or plugins, it can give us time and functionality. Well Security? cURL certificate validation settings used in thousands of CMS plugins and PHP Libraries published as disabled.

This is important, but not much attention by developers and it puts the information of millions of users at risk. According to the article published by Scott Arciszewski the danger continues to increase day by day.

What is cURL?

Intensely used in web development community, is cURL command-line utility that is used on all web servers to transfer data to remote servers. Many CMS plugins are a nice feature for downloading, sending or uploading data from remote servers with PHP library or different software languages, connecting with cURL rather than logging on to actual browser on every connection to remote server.

With cURL, HTTP, FTP, POP3, SMTP, LDAP and many other protocols using connection can opened. This provides the possibility to use in a lot of areas.

Example, You information entered on payment page with cURL connection is sent in background to the server of payment provider. These connections are usually performed with HTTPS. cURL also performs SSL/TLS certificate validation. This is really an important step to verify that HTTPS server is being contacted. However, cURL security settings are disabled by many developers.

Why is cURL Security Settings Disabled?

The biggest reason for this is that software developer wants plugin or software to work on all servers with minimal errors. And this causes security vulnerabilities. Because when security settings are enabled, cURL attempts to validate the connection to remote server with SSL/TLS certificate validation. If it does not verify, the connection fails and software cancels data sending and receiving. Unfortunately, a lot of developers know this but these settings are disabling.

What are cURL Security Settings?

1- The first security setting that is disabled is CURLOPT_SSL_VERIFYHOST. If this setting is not specified in the cURL connection the default value is 2. However, many developers add this setting to false or 0.

This setting checks whether the certificate on the remote server responds with a valid TLS certificate signed by a trusted Certificate Authority (CA). If disabled, cURL successfully performs the connection without verifying the address of the site to which you are connected. So, you sent a request to connect to secure.com, but data transfer is successful even if the certificate on the server belongs to insecure.com.

2- The second security setting that is disabled is CURLOPT_SSL_VERIFYPEER. If this setting is not specified in the cURL connection the default value is true or 1. However, many developers add this setting to false or 0.

When this setting is disabled, the server must have any SSL / TLS certificate to make connection successful it is sufficient. Regardless of who issued this certificate, is accept the connection to the server by using self-signed certificates and the data transfer takes place.

Especially when you make a small search on GitHub to see that cURL connection used by PHP developers is not a small issue that can be ignored, you can see thousands be disabled in libraries. This showing how big is the issue.

cURL How Can We Get Rid Of Security Issues?

Check the cURL connection codes in the software you developed or used. Change CURLOPT_SSL_VERIFYHOST value to 2 and CURLOPT_SSL_VERIFYPEER value to true.

Also, some systems may not have CA-Cert installed, current root certificates may not be available or a certificate validation error may occur because of a different cause. To avoid this, you can send certificate information by adding CURLOPT_CAINFO to your cURL connection. The last of these three values in the cURL connection should be as in the example below.

curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($curl, CURLOPT_CAINFO, 'path/to/yourcacert.pem');

You can also including the Certainty library developed and deployed as open source by Scott Arciszewski to keep your root certificates up to date on a regular basis in your software.

These days when information and security are important, this error, which constitutes a major security issue but ignores many software developers is immediately abandoned.

  • 18/11/2018
  • 71

Apple Safari, HTTP Web Sites "..

Apple will display a more evident warning message on websites that use the HTTP protocol in the Safari browser as Google does in the Chrome browser...

  • 06/11/2018
  • 114

Comodo CA is Now Sectigo - Com..

The world leader in Certification Authority and web security solutions, Comodo CA rebrand name was changed to Sectigo. Comodo CA, was this change that..

  • 25/08/2017
  • 521

Google Chrome, Non-SSL Website..

SSL has begun to be considered as a factor for SEO with the updates made last year. Also, web sites that do not use SSL encounter unsafe warning in th..

  • 31/05/2017
  • 600

How to Install an SSL Certific..

Although SSL certificate installation differs according to the server type and control panel used, the installation steps are almost identical. Requi..

  • 20/07/2017
  • 3576

How to Install OpenCart SSL Ce..

Firstly, let's briefly explain to those who do not know OpenCart. OpenCart is ecommerce software built on open source PHP. Because it is open source,..

  • 21/08/2017
  • 954

How to Install WordPress SSL C..

WordPress SSL certificate install is one of the most complicated software among popular software. In addition to being difficult to switch, Do I lose..

  • 13/10/2018
  • 169

New Chrome 70th Update Will Ca..

Chrome 70th will begin issuing security warning on Symantec SSL Legacy certificates. Google, as mentioned in Google Chrome, Non-SSL Websites Not Secur..

  • 23/07/2017
  • 1879

Static IP Address Required for..

Before telling you whether a static ip address is required for an SSL certificate, "What is Shared and Static IP Address?" i will explain briefly. It..

  • 14/07/2017
  • 715

What are SSL Certificate Types..

There are many SSL certificates with different features and different price ranges. Diversity is good but users who do not have knowledge about SSL ce..