This Week in Security: Apple Backdoors Curl, Tor’s New Bridge, and GhostRace

OK, that headline is a bit of a cheap shot. But if you run the curl binary that Apple ships, you’re in for a surprise if you happen to use the --cacert flag. That flag specifies that TLS verification is only to be done using the certificate file specified. That’s useful to solve certificate mysteries, or to make absolutely sure that you’re connecting to the server you expect.


This is a companion discussion topic for the original entry at https://hackaday.com/2024/03/15/this-week-in-security-apple-backdoors-curl-tors-new-bridge-and-ghostrace/