"disabling cert checks: we have not learned much"
I put my ramblings into a blog post
https://daniel.haxx.se/blog/2025/02/11/disabling-cert-checks-we-have-not-learned-much/
@bagder Heh, I know exactly which deleted Mastodon post triggered that rant, it was the first thing I noticed in the code, too.
@chrastecky it is a little "weak" to have that post deleted I must confess...
@bagder Yep, though they've at least fixed the CURLOPT_SSL_VERIFYPEER, so it wasn't all for nothing.
The CURLOPT_SSL_VERIFYHOST stayed at false (coerced to 0), though, but I feel it's the lesser evil of the two (would that be a correct conclusion?).
@chrastecky without verifying the name, someone can use a legit cert from site A for site B without that being noticed
@bagder Yeah, I understood it that way.