deleting system32\curl.exe
Let me tell you a story about how Windows users are deleting files from their installation and as a consequence end up in tears. Background The real and actual curl tool has been shipped as part of...
View ArticleNVD damage continued
There is something about having your product installed in over twenty billion instances all over the world and even out of the globe. In my case it helps me remain focused on and committed to working...
View ArticleMaking it harder to do wrong
You know I spend all my days working on curl and related matters. I also spend a lot of time thinking on the project; like how we do things and how we should do things. The security angle of this...
View ArticleThe I in LLM stands for intelligence
I have held back on writing anything about AI or how we (not) use AI for development in the curl factory. Now I can’t hold back anymore. Let me show you the most significant effect of AI on curl as of...
View Articlecurl, Tor, dot onion and SOCKS
You can of course use curl to access hosts through Tor. (I know you know Tor so I am not going to explain it here.) SOCKS The typical way to access Tor is via a SOCKS5 proxy and curl has supported...
View ArticleTalk: Keeping the world from Burning
On Monday this week, I did a talk at the Nordic Software Security Summit conference in Stockholm Sweden. I titled it CVEMITRECVSSNVDCNAOSS WTF with the subtitle “Keeping the world from Burning”. The...
View Articlecurl bug-bounty stats
tldr: the curl bug-bounty has been an astounding success so far. We started the current curl bug-bounty setup in April 2019. We have thus run it for five and a half years give or take. In the...
View ArticleA twenty-five years old curl bug
I have talked about old curl bugs before, but now we have a new curl record. When we announced the security flaw CVE-2024-11053 on December 11, 2024 together with the release of curl 8.11.1 we fixed a...
View ArticleSecure Transport support in curl is on its way out
In May 2024 we finally decided that maybe the time has come for curl to drop support of older TLS libraries. Libraries that because they don’t support the modern TLS version (1.3) for many users are...
View ArticleCVSS is dead to us
CVSS is short for Common Vulnerability Scoring System and is according to Wikipedia a technical standard for assessing the severity of vulnerabilities in computing systems. Typically you use an online...
View Article