65

I have a situation where the client makes a call through curl to a https url. The SSL certificate of the https url is self signed and therefore curl cannot do certificate validation and fails. curl provides an option -k/--insecure which disables certificate validation.

My question is that on using --insecure option, is the data transfer that is done between client and server encrypted(as it should be for https urls)? I understand the security risk because of certificate validation not being done, but for this question I am only concerned about whether data transfer is encrypted or not.

Josh Correia
  • 3,807
  • 3
  • 33
  • 50
randomuser
  • 1,858
  • 2
  • 17
  • 21
  • Very bad strategy; see [The most dangerous code in the world: validating SSL certificates in non-browser software](http://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html). – jww Feb 27 '18 at 17:44
  • 2
    @jww, not necessarily bad if you are in a situation where you don't control the certs being used (self-signed in this case), yet still have a need to test using curl. I agree using self-signed certs without also installing the CA chain (as in an enterprise environment) is a bad idea, but in large orgs, it's often out of the control of the person that's writing some code or using an API. – ntwrkguru Mar 06 '18 at 23:28

2 Answers2

90

Yes, the transfered data is still sent encrypted. -k/--insecure will "only make" curl skip certificate validation, it will not turn off SSL all together.

More information regarding the matter is available under the following link:

Filip Roséen - refp
  • 62,493
  • 20
  • 150
  • 196
2

It will be encrypted but insecure. If you trust the certificate you should add the certificate to your certificate store instead of connecting insecurely.

macOS: sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/new-root-certificate.crt

Ubuntu, Debian: sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt sudo update-ca-certificates

CentOS 6: yum install ca-certificates update-ca-trust force-enable cp foo.crt /etc/pki/ca-trust/source/anchors/ update-ca-trust extract

CentOs 5: cat foo.crt >>/etc/pki/tls/certs/ca-bundle.crt

Windows: certutil -addstore -f "ROOT" new-root-certificate.crt

Becky Conning
  • 41
  • 4