Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I use it all the time in house because we have in house, air gapped systems

I know some people feel strongly about this one

But the only time it could lead to a problem is if you pass user/pass and you have a MITM situation.

So maybe only allow it if not passing user and pass

If it’s just a download and we know we aren’t on a TOR node situation then privacy isn’t that great of a concern

My two cents! Open to changing my mind



If you have an closed system, then you have two options: use plain http if you really trust the environment, or use your own CA and have a trusted https. Having an untrusted https and disabling it is a double waste of time.


We have our own CA but they don’t originate with any known root. They are self signed certs


That's ok, that's how you normally do it. But then the second step is adding that CA to the trusted store on all relevant clients, so that it can actually get verified. (Otherwise why bother with the CA, just self-sign everything individually)


It’s our lack of a DevOps / Platform Dept. Our traditional IT groups won’t do it sadly

I mean invest in Smallstep SSH - nope


So let me get this straight: your IT won't do something, you're too lazy to add one flag to your scripts, so your solution is to ask that everyone has their security downgraded instead? That's... one way to approach tech issues.


It’s obviously not a suggestion for everyone as I understand. If I could edit my original comment I would strike out my suggestion.


Just don't do that. Some of us (hello) live in countries that perform or tried to perform HTTPS MITM on a massive scale, and only had to roll back because so much well behaving shit broke.

If software suddenly started accepting invalid certificates, they would have no incentive of rolling it back. HTTPS would make zero sense then.


curl does accept if you enable the option to do so. It is optional


This doesn't make it a good idea to break HTTPS by default. Defaults matter, if everything ignored HTTPS errors by default, I would be talking to you over a MITMed connection right now. Because so much software stopped working, they had to roll back that braindead idea in less than a day.


A MITM situation is relevant even without a credential and isn't at all about privacy: an attacker can swap out a different file for the one you wanted to download.


You are right. Hash (if provided) would still need to be verified upon download


Add the signing authorities to your systems certificate store if it's that big of an annoyance. Or make your own custom alias that includes -k. But this absolutely cannot be default. HTTPS ensures that you are connected to the server you think you are and that no one is messing with your data in transit.


I totally understand this isn’t popular. But even if it doesn’t originate from a certificate chain, it is still encrypted between you and the website. Having the certificate chain lets you know the certificate is part of a chain of trust and prevents MITM


If you're downloading and running a binary or script (pretty common use of curl), anyone on your local network (and beyond) will be able to modify the file and thus take over your machine.


This is like downloading from local Artifactory or Bamboo




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: