cURL in Thousands of Plugins SSL TLS Certificate Verification is Disabled!

cURL in Thousands of Plugins SSL TLS Certificate Verification is Disabled!

Libraries, framework or plugins, it can give us time and functionality. Well Security? cURL certificate validation settings used in thousands of CMS plugins and PHP Libraries published as disabled.

This is important, but not much attention by developers and it puts the information of millions of users at risk. According to the article published by Scott Arciszewski the danger continues to increase day by day.

What is cURL?

Intensely used in web development community, is cURL command-line utility that is used on all web servers to transfer data to remote servers. Many CMS plugins are a nice feature for downloading, sending or uploading data from remote servers with PHP library or different software languages, connecting with cURL rather than logging on to actual browser on every connection to remote server.

With cURL, HTTP, FTP, POP3, SMTP, LDAP and many other protocols using connection can opened. This provides the possibility to use in a lot of areas.

Example, You information entered on payment page with cURL connection is sent in background to the server of payment provider. These connections are usually performed with HTTPS. cURL also performs SSL/TLS certificate validation. This is really an important step to verify that HTTPS server is being contacted. However, cURL security settings are disabled by many developers.

Why is cURL Security Settings Disabled?

The biggest reason for this is that software developer wants plugin or software to work on all servers with minimal errors. And this causes security vulnerabilities. Because when security settings are enabled, cURL attempts to validate the connection to remote server with SSL/TLS certificate validation. If it does not verify, the connection fails and software cancels data sending and receiving. Unfortunately, a lot of developers know this but these settings are disabling.

What are cURL Security Settings?

1- The first security setting that is disabled is CURLOPT_SSL_VERIFYHOST. If this setting is not specified in the cURL connection the default value is 2. However, many developers add this setting to false or 0.

This setting checks whether the certificate on the remote server responds with a valid TLS certificate signed by a trusted Certificate Authority (CA). If disabled, cURL successfully performs the connection without verifying the address of the site to which you are connected. So, you sent a request to connect to, but data transfer is successful even if the certificate on the server belongs to

2- The second security setting that is disabled is CURLOPT_SSL_VERIFYPEER. If this setting is not specified in the cURL connection the default value is true or 1. However, many developers add this setting to false or 0.

When this setting is disabled, the server must have any SSL / TLS certificate to make connection successful it is sufficient. Regardless of who issued this certificate, is accept the connection to the server by using self-signed certificates and the data transfer takes place.

Especially when you make a small search on GitHub to see that cURL connection used by PHP developers is not a small issue that can be ignored, you can see thousands be disabled in libraries. This showing how big is the issue.

cURL How Can We Get Rid Of Security Issues?

Check the cURL connection codes in the software you developed or used. Change CURLOPT_SSL_VERIFYHOST value to 2 and CURLOPT_SSL_VERIFYPEER value to true.

Also, some systems may not have CA-Cert installed, current root certificates may not be available or a certificate validation error may occur because of a different cause. To avoid this, you can send certificate information by adding CURLOPT_CAINFO to your cURL connection. The last of these three values in the cURL connection should be as in the example below.

curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($curl, CURLOPT_CAINFO, 'path/to/yourcacert.pem');

You can also including the Certainty library developed and deployed as open source by Scott Arciszewski to keep your root certificates up to date on a regular basis in your software.

These days when information and security are important, this error, which constitutes a major security issue but ignores many software developers is immediately abandoned.

2 people voted before. Would you like to vote?

  • 18/11/2018
  • 698

Apple Safari, HTTP Web Sites Not Secure Warning Test Started

Apple will display a more evident warning message on websites that use the HTTP protocol in the Safari browser as Google does in the Chrome browser...

  • 06/11/2018
  • 410

Comodo CA is Now Sectigo - Comodo CA Rebrands as Sectigo

The world leader in Certification Authority and web security solutions, Comodo CA rebrand name was changed to Sectigo. Comodo CA, was this change that..

  • 25/08/2017
  • 750

Google Chrome, Non-SSL Websites Not Secure Warning!

SSL has begun to be considered as a factor for SEO with the updates made last year. Also, web sites that do not use SSL encounter unsafe warning in th..

  • 31/05/2017
  • 1.12K

How to Install an SSL Certificate?

Although SSL certificate installation differs according to the server type and control panel used, the installation steps are almost identical. Requi..

  • 20/07/2017
  • 7.78K

How to Install OpenCart SSL Certificate?

Firstly, let's briefly explain to those who do not know OpenCart. OpenCart is ecommerce software built on open source PHP. Because it is open source,..

  • 21/08/2017
  • 1.31K

How to Install WordPress SSL Certificate?

WordPress SSL certificate install is one of the most complicated software among popular software. In addition to being difficult to switch, Do I lose..

  • 13/10/2018
  • 336

New Chrome 70th Update Will Cause Security Warning on Thousands of Websites

Chrome 70th will begin issuing security warning on Symantec SSL Legacy certificates. Google, as mentioned in Google Chrome, Non-SSL Websites Not Secur..

  • 12/07/2017
  • 24.11K

OpenCart Turkish Full Version

The latest version of OpenCart was released on 18.07.2017 with version number As of 22.07.2017 we also offer Turkish version for you. Now le..

  • 14/01/2019
  • 7.24K

OpenCart Turkish Full Version

The latest version of OpenCart was released on 09.04.2019 and as of 29.01.2019 we also offer OpenCart Turkish version for you. 3.0.3...