Does turning off CURLOPT_SSL_VERIFYPEER in cURL make transmission insecure?

2
votes

On the PHP docs page about curl_setopt the most upvoted comment is

Please everyone, stop setting CURLOPT_SSL_VERIFYPEER to false or 0. If your PHP installation doesn't have an up-to-date CA root certificate bundle, download the one at the curl website and save it on your server:

http://curl.haxx.se/docs/caextract.html

Then set a path to it in your php.ini file, e.g. on Windows:

curl.cainfo=c:\php\cacert.pem

Turning off CURLOPT_SSL_VERIFYPEER allows man in the middle (MITM) attacks, which you don't want!

Really? As I understand it, turning off CURLOPT_SSL_VERIFYPEER stops curl from verifying the peer's certificate but data transmission stays secure. Which one is true?

1
phpcurlsslencryption
Well, both statements are true. Indeed it disables the verification of the peer and this allows an "easy" man-in-the-middle attack. Please note that such attack does not mean that the data is sent unencrypted. It means, someone in the middle can decrypt the transferred data without your knowledge and without you being able to prevent or detect it.arkascha
possible duplicate of Security consequences of disabling CURLOPT_SSL_VERIFYHOST (libcurl/openssl)Bruno

1 Answers

6
votes

Yes it is insecure. If you don't check the certificate you can't be sure that the sender is truly the server you think you're talking to and it may be an impostor. A man in the middle.

Even impostors can run SSL and negotiate an encrypted connections with you. But they can (supposedly) not purchase a certificate for the forged site using the legitimate cert name.