cURL in Thousands of Plugins SSL TLS Certificate Verification is Disabled!
Libraries, framework or plugins, it can give us time and functionality. Well Security? cURL certificate validation settings used in thousands of CMS plugins and PHP Libraries published as disabled.
This is important, but not much attention by developers and it puts the information of millions of users at risk. According to the article published by Scott Arciszewski the danger continues to increase day by day.
What is cURL?
Intensely used in web development community, is cURL command-line utility that is used on all web servers to transfer data to remote servers. Many CMS plugins are a nice feature for downloading, sending or uploading data from remote servers with PHP library or different software languages, connecting with cURL rather than logging on to actual browser on every connection to remote server.
With cURL, HTTP, FTP, POP3, SMTP, LDAP and many other protocols using connection can opened. This provides the possibility to use in a lot of areas.
Example, You information entered on payment page with cURL connection is sent in background to the server of payment provider. These connections are usually performed with HTTPS. cURL also performs SSL/TLS certificate validation. This is really an important step to verify that HTTPS server is being contacted. However, cURL security settings are disabled by many developers.
Why is cURL Security Settings Disabled?
The biggest reason for this is that software developer wants plugin or software to work on all servers with minimal errors. And this causes security vulnerabilities. Because when security settings are enabled, cURL attempts to validate the connection to remote server with SSL/TLS certificate validation. If it does not verify, the connection fails and software cancels data sending and receiving. Unfortunately, a lot of developers know this but these settings are disabling.
What are cURL Security Settings?
1- The first security setting that is disabled is CURLOPT_SSL_VERIFYHOST. If this setting is not specified in the cURL connection the default value is 2. However, many developers add this setting to false or 0.
This setting checks whether the certificate on the remote server responds with a valid TLS certificate signed by a trusted Certificate Authority (CA). If disabled, cURL successfully performs the connection without verifying the address of the site to which you are connected. So, you sent a request to connect to secure.com, but data transfer is successful even if the certificate on the server belongs to insecure.com.
2- The second security setting that is disabled is CURLOPT_SSL_VERIFYPEER. If this setting is not specified in the cURL connection the default value is true or 1. However, many developers add this setting to false or 0.
When this setting is disabled, the server must have any SSL / TLS certificate to make connection successful it is sufficient. Regardless of who issued this certificate, is accept the connection to the server by using self-signed certificates and the data transfer takes place.
Especially when you make a small search on GitHub to see that cURL connection used by PHP developers is not a small issue that can be ignored, you can see thousands be disabled in libraries. This showing how big is the issue.
cURL How Can We Get Rid Of Security Issues?
Check the cURL connection codes in the software you developed or used. Change CURLOPT_SSL_VERIFYHOST value to 2 and CURLOPT_SSL_VERIFYPEER value to true.
Also, some systems may not have CA-Cert installed, current root certificates may not be available or a certificate validation error may occur because of a different cause. To avoid this, you can send certificate information by adding CURLOPT_CAINFO to your cURL connection. The last of these three values in the cURL connection should be as in the example below.
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 2); curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, true); curl_setopt($curl, CURLOPT_CAINFO, 'path/to/yourcacert.pem');
You can also including the Certainty library developed and deployed as open source by Scott Arciszewski to keep your root certificates up to date on a regular basis in your software.
These days when information and security are important, this error, which constitutes a major security issue but ignores many software developers is immediately abandoned.