Security consequences of disabling CURLOPT
启用CURLOPT_SSL_VERIFYPEER和禁用CURLOPT_SSL_VERIFYHOST的安全后果是什么?
CURLOPT_SSL_VERIFYPEER checks that the remote certificate is valid, ie that you trust that it was issued by a CA you trust and that it's genuine.
CURLOPT_SSL_VERIFYHOST checks that the cert was issued to the entity you wanted to talk to.
To compare it to a real-life scenario, VERIFYPEER is like checking that the form of ID is one that you recognise (ie passport from a country you trust, staff card from a company you know, ...). VERIFYHOST is like checking the actual name on the card matches who you wanted to talk to.
If you don't use VERIFYHOST (the correct value is 2, not 1, btw), you disable host name verification and open the door to MITM attacks: anyone with a form of ID you trust can impersonate anyone within the set of IDs you trust, eg anyone with a valid passport could pretend they're anyone else with a valid passport.
链接地址: http://www.djcxy.com/p/21734.html上一篇: 如何安全地命令卷曲的轴相机?
下一篇: 禁用CURLOPT的安全后果