OK, that headline is a bit of a cheap shot. But if you run the curl
binary that Apple ships, you’re in for a surprise if you happen to use the --cacert
flag. That flag specifies that TLS verification is only to be done using the certificate file specified. That’s useful to solve certificate mysteries, or to make absolutely sure that you’re connecting to the server you expect.
This is a companion discussion topic for the original entry at https://hackaday.com/2024/03/15/this-week-in-security-apple-backdoors-curl-tors-new-bridge-and-ghostrace/