bagder, 3 months ago

on hacker news: https://news.ycombinator.com/item?id=39650498

krinkle, 2 months ago (edited 2 months ago)

deleted_by_author

BasieP, 2 months ago

@krinkle @bagder or the nsa for that matter...

jevinskie, 3 months ago

@bagder they should just put that “extended behavior” behind a new command line flag/environment variable.

bjst, 3 months ago

@bagder
Minor clarification nitpick: It's not unreliable with "curl on an apple OS", it's unreliable with "apple's build of curl".

slink, 3 months ago (edited 3 months ago)

@bagder daniel, i respect and admire you for your considerate and respectful behavior, but would it be appropriate to point out the potential of unintended #mitm interception more clearly in this case?
i mean, the title could also have been "apple does not want you to notice when you are being wiretapped", or do i miss any other precaution they took for this not to happen?

also, i find it shocking that i don't find this shocking any more… 🤯

bagder, 3 months ago

@slink it is not in my interests to be alarmist. I believe I describe the problems in the blog post.

slink, 3 months ago

@bagder you do indeed, thank you.

schamschula, 3 months ago

@bagder Good to know! I generally build and install curl under #MacPorts with the gnutls variant. However, there is no variant that builds against Apple's flavor of LibreSSL. The default build may use the MacPorts version of LibreSSL, if installed in place of OpenSSL.

bagder, 3 months ago

@schamschula turns out to be very clever!

bagder, 3 months ago

if doing a tool working everywhere is not already hard enough, some vendors decide to actively work against us and sneakily add backdoor functionality so that curl does not work the same way on their platforms. So now our documentation is wrong. But only if you use the curl bundled by Apple with macOS. If you get curl with homebrew on the same machine, it will act as documented..