Tuesday, April 16, 2024

The Apple curl Security Incident

Daniel Stenberg (Hacker News, Slashdot):

The friendly reporter showed how the curl version bundled with macOS behaves differently than curl binaries built entirely from open source. Even when running the same curl version on the same macOS machine.

The curl command line option --cacert provides a way for the user to say to curl that this is the exact set of CA certificates to trust when doing the following transfer. If the TLS server cannot provide a certificate that can be verified with that set of certificates, it should fail and return error.

[…]

When this command line option is used with curl on macOS, the version shipped by Apple, it seems to fall back and checks the system CA store in case the provided set of CA certs fail the verification. A secondary check that was not asked for, is not documented and plain frankly comes completely by surprise.

[…]

This is a security problem because now suddenly certificate checks pass that should not pass.

Yet another case where Apple’s security team doesn’t agree about what constitutes a security issue.

Previously:

9 Comments RSS · Twitter · Mastodon


Old Unix Geek

Apple should not ship curl if they change its core functionality in this way, particularly if they don't change version numbers.

The "Apple security team" should write their own "weknowbetter" utility.

In fact, perhaps Apple should stop pretending MacOS is unix, and just go back to being a proprietary thing with different, undocumented rules of its own. A good name would be "iOS Pro".


@Old Unix Geek
Spitting fire today I see. Don't disagree. If you are going to make changes, then change the version number so we know it's not the same build. Or rename the utility with a hard fork.


I don't understand why this isn't a security problem? According to Apple anyway. If you explicitly tell curl to only validate certain certificates and Apple overrides you anyway with a secondary check, with no feedback of what it's doing, seems strange to me. The fact the curl maintainer took it seriously even though it's not a curl problem is actually quite swell. Too bad Apple, who created the problem, doesn't care in the least.


> Yet another case where Apple’s security team doesn’t agree about what constitutes a security issue.

Modern Apple:

1. Will probably stop shipping curl. Bonus: It'll free up space for more important OS-level features, like emojis.
2. Every new Terminal tab will come with a security alert.


Homer Simpson

Why is this still news?

Obviously Daniel Stenberg was upset that he shipped buggy code. That's understandable. Happens to every developer. What's unusual is that Apple had its own fork that made them immune to some of those recent bugs. It's unfortunate that he goes out of his way to denigrate Apple because of it. Twice he says that this behavior is undocumented. But it is documented. And Apple plainly says "it should not be set". In fact, it is Daniel Stenberg that didn't document the failure behavior that Apple supposedly broke.

But back to why is this still news? All Apple developers should be using one of Apple's several different networking APIs. They're all better than curl.


@Homer Apple made a fork that changed the behavior and then documented the broken behavior as expected. I don’t understand how you get from there to “Stenberg shipped buggy code.” The code in question is not even part of curl.

curl is really nice to use.


@Homer Simpson
Wait, what's the curl bug? Only Apple's version is failing and they made the change? Maybe you meant other bugs I am not privy too, I admit to not following curl builds that closely. I'm curious what information you can share about curl's side of things when it comes to bugs.


@Homer
"All Apple developers should be using one of Apple's several different networking APIs. They're all better than curl."

curl is not a networking API. Unless you assume that developers use system("curl ...") to download files, for instance. It's "just" a command line tool, so its main purpose is to run it from a shell or a script.

If someone wants some features of curl and one of Apple's several different networking APIs, they can use nscurl.


curl is both a cmdline tool and a library that many apps used for downloading all kind of web data, especially when it requires SSL (https) or other complicated protocols (webdav, sftp).

Leave a Comment