curl - Is data encrypted when using the --insecure option?

Question

I have a situation where the client makes a call through curl to a https url. The SSL certificate of the https url is self signed and therefore curl cannot do certificate validation and fails. curl provides an option -k/--insecure which disables certificate validation.

My question is that on using --insecure option, is the data transfer that is done between client and server encrypted(as it should be for https urls)? I understand the security risk because of certificate validation not being done, but for this question I am only concerned about whether data transfer is encrypted or not.

Very bad strategy; see The most dangerous code in the world: validating SSL certificates in non-browser software. — jww
@jww, not necessarily bad if you are in a situation where you don't control the certs being used (self-signed in this case), yet still have a need to test using curl. I agree using self-signed certs without also installing the CA chain (as in an enterprise environment) is a bad idea, but in large orgs, it's often out of the control of the person that's writing some code or using an API. — ntwrkguru

Filip Roséen - refp Filip Roséen - refp · Accepted Answer · 2011-12-15T12:38:18

Yes, the transfered data is still sent encrypted. -k/--insecure will "only make" curl skip certificate validation, it will not turn off SSL all together.

More information regarding the matter is available under the following link:

curl.haxx.se - Details on Server SSL Certificates

curl - Is data encrypted when using the --insecure option?

2 Answers