Webtagr - Technology News Summarizer

GitHub Diff Vulnerability: Exploiting Unicode Character Substitution

2025-05-17

A curl contributor, James Fuller, uncovered a vulnerability in GitHub's diff viewer. Malicious actors could substitute ASCII characters with visually identical Unicode characters, altering code without apparent change. This could lead to URL manipulation and other serious consequences. While GitHub's diff viewer lacked a warning, other platforms like Gitea flagged such changes. The curl project responded by implementing CI checks to detect malicious Unicode and cleaned up UTF-8 sequences. This highlights the need for proactive code security measures to prevent potential attacks.

(daniel.haxx.se)

Development code security GitHub vulnerability

Curl's .onion Blocking: A Security vs. Usability Tug-of-War

2025-05-16

To prevent DNS leaks of .onion domains by Tor users, curl implemented RFC 7686 two years ago, blocking resolution of .onion domains. However, this breaks the new Tor tool oniux, preventing it from using curl to access .onion sites. This highlights a security vs. usability conflict: strict RFC adherence impacts user experience, while relaxing restrictions increases security risks. The curl team is now working to find a solution that balances security and user needs.

(daniel.haxx.se)

Tech DNS leak

Curl's Dotted Disaster: Two CVEs and a Never-Ending Chase

2025-05-15

The curl team has had a persistent struggle with trailing dots in hostnames within URLs. Initially ignoring them, curl later reinstated support for websites requiring trailing dots. However, this change inadvertently introduced two security vulnerabilities (CVE-2022-27779 and CVE-2022-30115) affecting cookie handling and the HSTS mechanism respectively. These vulnerabilities stemmed from improper handling of trailing dots leading to incorrect domain matching. curl 7.83.1 addresses these issues, but the author suspects this may be just the beginning of a long-running battle.

(daniel.haxx.se)

Development

Secure Curl: Building Reliable C Code for Billions of Installations

2025-04-07

The curl team shares their practices for building secure and reliable network transfer tools in C. They highlight the importance of extensive testing, including static analysis and fuzzing. Approximately 40% of their security vulnerabilities stem from C's memory unsafety, but strict coding standards, style enforcement, and avoidance of risky functions keep this number low. Curl's coding style emphasizes readability and maintainability through line length limits, short variable names, and zero-warning compilations. Robust error handling, API stability, and careful memory management are crucial for the software's reliability and security.

(daniel.haxx.se)

Development C security

curl's Experimental HTTPS RR Support: The Next Generation of DNS Records

2025-03-31

curl now experimentally supports the new DNS record type HTTPS RR, offering a more modern way than SRV and URI to convey service metadata such as ECH configuration, ALPN lists, target hostnames, ports, and IP addresses. HTTPS RR enhances HTTPS connection security (via ECH encryption of the SNI field) and efficiency (by pre-fetching HTTP/3 support information), and simplifies service discovery. curl achieves HTTPS RR resolution through DoH, getaddrinfo(), or c-ares, but currently lacks runtime disabling and still has incomplete HTTPS RR support.

(daniel.haxx.se)

Development

curl.se Traffic Analysis: 2TB/day, Where's All the Traffic Coming From?

2025-02-22

The curl.se website handles 62.95 TB of traffic per month, averaging over 2 TB per day and peaking at 3.41 TB. While detailed logs are unavailable, data shows that of 12.43 billion requests, only 1.12 million were curl package downloads (less than 10% of total traffic). The vast majority of traffic (99.77%) is handled by the Fastly CDN cache. However, widespread use of HTTP/1.1 and TLS 1.2 suggests a significant amount of non-browser traffic, possibly from bots or other tools. Analysis indicates that 207.31 million downloads of 100KB-1MB files (likely CA certificates) could account for a large portion of the remaining traffic. Traffic is evenly distributed globally, unlike previous concentrations in China.

(daniel.haxx.se)

Tech network traffic

The 20+ Year War Against Insecure Connections: A libcurl Retrospective

2025-02-11

Since curl's support for SSL in 1998, default certificate verification has been a cornerstone of network security. However, developers continue to disable this crucial check, leading to widespread vulnerabilities. This article recounts the evolution of libcurl, explores the dangers of disabling verification, and proposes solutions like API improvements, enhanced documentation, and proactive bug reporting. The fight for secure connections is a long-term battle.

(daniel.haxx.se)

Development certificate verification

OpenSSL Rejects QUIC API: A Setback for HTTP/3 Adoption?

2025-01-21

OpenSSL, the most popular TLS library, has rejected adding a QUIC API to its upcoming releases, posing a significant hurdle for widespread HTTP/3 adoption. Despite a community pull request (PR8797) offering the necessary APIs, the OpenSSL management committee decided to build a complete QUIC stack from scratch, a process expected to take several years. This decision has sparked community frustration, as mature QUIC libraries already exist. Microsoft and Akamai created quictls, an OpenSSL fork with the QUIC API, as a workaround. However, this isn't a sustainable solution, leaving the future of HTTP/3 adoption uncertain due to OpenSSL's choice.

(daniel.haxx.se)

Development

curl Gets a Major Update: Partial File Reading Support

2024-12-30

The upcoming curl 8.12.0 release introduces exciting new functionality: partial file reading. Users can now leverage a new variable system to extract specific byte ranges from files and use them within curl command lines. This adds significant flexibility to how curl handles files, allowing for tasks like extracting the beginning of a file as a username or a section in the middle for a POST body. This significantly expands curl's capabilities, empowering users with a more robust command-line tool.

(daniel.haxx.se)

Development file handling

cURL and libcurl Drop Hyper Support

2024-12-22

After a four-year experiment, the cURL project has announced it's abandoning the use of the Rust-based Hyper library as an HTTP backend. Despite Hyper's memory safety advantages and support from Let's Encrypt, lack of user demand and developer involvement led to its termination. The cURL team cited the high cost of maintaining the Hyper code and a focus on improving and maintaining the existing codebase. While the experiment failed, cURL gained valuable experience and improved its HTTP handling capabilities.

(daniel.haxx.se)

Development

HTTP/3's Current State: Challenges and Opportunities on the Path to Adoption

2024-12-16

The HTTP/3 specifications are complete but await final publication. Server-side support is surprisingly high, particularly among top websites. Major players like Cloudflare have enabled HTTP/3, and browsers widely support it. However, client-side support, such as in curl, remains incomplete, largely due to the lagging development of QUIC-enabled TLS libraries. OpenSSL's QUIC support has been delayed, while alternatives like BoringSSL and quictls have limitations. While HTTP/3 promises speed improvements, real-world benefits depend on network conditions. Widespread adoption hinges on specification release and mature TLS libraries.

(daniel.haxx.se)

Development