everyone I wanna confirm one thing about curl.
If I use -k option in curl, is the data transfer still be secure? I think so, because below
point1: from https://curl.se/docs/sslcerts.html, looks like -k only skips SSL certificate verification, does not affect follow-up data transfer
point2: from wireshark packet capture in my test, the application data protocol is still "http-over-tls" and data is encrypted as well
If you use -k, cURL will skip verifying the SSL certificate of the website you connect to. You are right that the data transfer will still be encrypted, and so you will be protected against someone who can snoop on your network.
The problem arises when you have someone who can actively redirect traffic on your network. They could run what's called a man-in-the-middle attack, and be able to read (or modify!) the data that's being transferred.
In other words: when you connect to https://google.com, there's two parts to the security:
Using the -k option (disabling certificate validation) removes that second component of the security (as that's the whole idea behind certificates). Because of the danger of a man-in-the-middle attack, it's not considered secure—but it is still encrypted!
