Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Desktops (Apple) Security Apple

Apple Criticized For Changing the macOS version of cURL (daniel.haxx.se) 75

"On December 28 2023, bugreport 12604 was filed in the curl issue tracker," writes cURL lead developer Daniel Stenberg: The title stated of the problem in this case was quite clear: flag -cacert behavior isn't consistent between macOS and Linux , and it was filed by Yuedong Wu.

The friendly reporter showed how the curl version bundled with macOS behaves differently than curl binaries built entirely from open source. Even when running the same curl version on the same macOS machine.

The curl command line option --cacert provides a way for the user to say to curl that this is the exact set of CA certificates to trust when doing the following transfer. If the TLS server cannot provide a certificate that can be verified with that set of certificates, it should fail and return error. This particular behavior and functionality in curl has been established since many years (this option was added to curl in December 2000) and of course is provided to allow users to know that it communicates with a known and trusted server. A pretty fundamental part of what TLS does really.

When this command line option is used with curl on macOS, the version shipped by Apple, it seems to fall back and checks the system CA store in case the provided set of CA certs fail the verification. A secondary check that was not asked for, is not documented and plain frankly comes completely by surprise. Therefore, when a user runs the check with a trimmed and dedicated CA cert file, it will not fail if the system CA store contains a cert that can verify the server!

This is a security problem because now suddenly certificate checks pass that should not pass.

"We don't consider this something that needs to be addressed in our platforms," Apple Product Security responded. Stenberg's blog post responds, "I disagree."

Long-time Slashdot reader lee1 shares their reaction: I started to sour on MacOS about 20 years ago when I discovered that they had, without notice, substituted their own, nonstandard version of the Readline library for the one that the rest of the Unix-like world was using. This broke gnuplot and a lot of other free software...

Apple is still breaking things, this time with serious security and privacy implications.

This discussion has been archived. No new comments can be posted.

Apple Criticized For Changing the macOS version of cURL

Comments Filter:
  • Too bad that no prosecutor will care.

    • by ToasterMonkey ( 467067 ) on Saturday March 23, 2024 @11:39AM (#64339025) Homepage

      The difference in behavior is due to differences in the SSL library curl is linked to. That behavior is not even formally specified, the man page even makes it clear that flag is platform specific right out the gate before even getting to the platform's SSL implementation.

      And then... why is anyone using curl to do very specific SSL validation tests when tools like the openssl cli are available. Curl is just an http client, unless they rolled their own, they're at the whims of whatever SSL impl was linked in. Go talk to a senior Linux sysadmin and ask for help you sad little web developer children. This is not a Mac problem, this is an every unix is different and welcome to the party problem.

      There's something very karmic about Linux tossing aside decades of Unix standards and some kids getting upset that an http client doesn't do what Linux does, made me laugh.

      • And then... why is anyone using curl to do very specific SSL validation tests when tools like the openssl cli are available.

        Because they are using curl for whatever reason they use curl (ease of its command line as compared to other https clients, or whatever).

        And it only makes sense to do the validation along with the rest of the https access (which could be the submission of a form, which contains sensitive data).

        The reason for this is twofold:

        1. convenience: why call 2 different utilities, when you could do all in one?
        2. security: if middleman is smart, certificate could have changed between invocation of "validation" utility,
      • Curl is just an http client

        Not quite. It is also an SMTP client, an FTP client, an MQTT client, an IMAP client, and a few other things I forget.

        Ah, here, it reads in the manual:

        It supports these protocols: DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET, TFTP, WS and WSS.

        The point may not be to test SSL itself, but to test something that uses SSL.

    • And this is the company morons on here constantly defend.
  • by Viol8 ( 599362 ) on Saturday March 23, 2024 @10:39AM (#64338921) Homepage

    I didn't know about Curl but the recent MacOS 14.4 release has broken the entire printing system - not just one or 2 specific printers, the entire system! I can't help thinking that even Microsoft might have noticed that before releasing a Windows update.

    And when they're not breaking things the software they include is often pretty ancient - eg the version of the Clang C++ compiler shipped with macos still doesn't support C++20 properly - in 2024.
    Their shipped version of Python3 is also a few years behind too.

    • by Tomahawk ( 1343 ) on Saturday March 23, 2024 @10:48AM (#64338945) Homepage

      They ship bash 3 because the licence changed with bash 4 to one they don't like. Hence with the switch the zsh too.

      Handily homebrew gives me bash, so I'm happy.

    • by ArmoredDragon ( 3450605 ) on Saturday March 23, 2024 @11:09AM (#64338985)

      CLI on macos seems janky overall, no matter how you use it, even if you ssh to a Linux box. I have problems with the macos terminal all the time, mainly surrounding the fact that it doesn't seem to update the screen reliably. I often will enter a command or type text and have nothing happen as a result, but the problem isn't the software, it's apple's shitty terminal. Microsoft's terminal within vs code does a way better job on mac than apple's own shit.

      • by Viol8 ( 599362 ) on Saturday March 23, 2024 @11:13AM (#64338991) Homepage

        I don't have problems with screen updates in terminal, but cut and paste from other applications seems to be a random will-it-wont-it affair. Sometimes it works, sometimes it pastes an old buffer, sometimes it pastes nothing at all. Text cut and paste has been a solved problem for 40 years yet still Apple have managed to fuck it up.

        • I've had that happen as well but I've generally dismissed it as perhaps me just hitting the wrong hotkey when I did the copy.

          • by Viol8 ( 599362 )

            Nope, not you, its a bug - one of the many they can't seem to be bothered to fix.

            • by dgatwood ( 11270 )

              Nope, not you, its a bug - one of the many they can't seem to be bothered to fix.

              This is happening often enough to me lately that I was starting to think I was losing my mind. Glad it isn't just me and that macOS really does suck now.

            • Nope, not you, its a bug - one of the many they can't seem to be bothered to fix.

              Interesting; since no doubt many Apple Devs. themselves obviously use it every single day as part of their job.

              • I use it every day as part of my job, but the main purpose is to ensure that my code actually runs on it. And because it's so god damn finicky to get monitors working correctly with it, I just leave it docked most of the time to avoid fighting that mess.

      • by Anonymous Coward

        I thought Terminal was fine, but the osx "unix" userspace was always gratuitously and appallingly broken and/or out of date. It's like they pulled it all in to check a box, then let it rot while accumulating further breakage of their own making. Apple's refusal to fix the myriad bugs (not limited to command line utilities, and blindingly obvious to any more than casual user) was always infuriating. Each new release would come with hope that they'd fix something, and the inevitable disappointment that follo

    • by tomz16 ( 992375 )

      eg the version of the Clang C++ compiler shipped with macos still doesn't support C++20 properly - in 2024

      FFS, it still doesn't support OpenMP. You have to go find the equivalent version of LLVM, compile your own libomp, and then franken-link it in. It *seems* to work with AppleClang, but given possible divergence in both compiler branches, that's more of a happy coincidence than some sort of ironclad guarantee.

      You *could* just use LLVM, but then you don't know if they made any other compatibility-breaking changes in AppleClang, esp. on their own CPU architecture.

      Stallman was... right?

      • Stallman was "right" insofar that he is responsible for all of this. Apple can't ship anything that is under GPL4.
        • by tomz16 ( 992375 )

          Stallman was "right" insofar that he is responsible for all of this.

          Disagree... all of the compiler horse-shittery here is because Apple CHOOSES to ship their own ecclectic mix of llvm separate from the OSS versions available on other platforms. Like I said, it's not even clear there is a path to re-constituting all of the open-source components in LLVM to make your own copy of AppleClang (because they don't actually have to give you all of the bits in source-code form, much less a way to make your own equivalent binary). This is, of course, 100% their right to do (and th

  • Even for stuff that comes with MacOS I still use `brew install` to put a proper version in place 'cos the apple version always break something. I've just given up on them and put their stuff at the end of the PATH.

    • This doesn't apply to curl because Homebrew isn't dumb enough to link curl by default because it's keg only. Homebrew is shit because they make weird choices, break things in fragile ways, fail to listen to user feedback, and make tinkering and customization incredibly difficult. Use nix.
    • Because Stallman.
  • by jamienk ( 62492 ) on Saturday March 23, 2024 @10:47AM (#64338943)

    What might Apple's motive be?

    • app store only and if you want side your own apps $0.50 per install / update!

    • by Anonymous Coward

      They probably use curl internally and are probably doing something silly with certificates, and they bandaided curl instead of using the tool properly, not thinking there might be security implications.

    • by stripes ( 3681 )

      Apple's motive in this case is their cert system is intertwined with having securityd do as much of the work including in many cases policy enforcement as possible. That is a great tradeoff for their normal application stack, but doesn't intermesh well with the corners of how curl expects things to work. So they get a variant behaviour. Since curl isn't part of the "UNIX standard" (which Apple does care about complying with) anyone that gets the bug assigned to them can either work on it for a week and

  • by Glasswire ( 302197 ) on Saturday March 23, 2024 @11:11AM (#64338989) Homepage

    Basically trusting Apple to supply open source binaries is like trusting Microsoft to do it.
    If you care, compile from sources. If you want to download uncurated binaries, start with Linux.

    • by mjwx ( 966435 )

      Basically trusting Apple to supply open source binaries is like trusting Microsoft to do it.
      If you care, compile from sources. If you want to download uncurated binaries, start with Linux.

      Ultimately the average person doesn't have the ability to audit all the code they use, hell most people with the capability don't have the time so we have to work on trust, FOSS tends to be the most trustworthy source.

      However your first sentence is right, if anything Apple is less trustworthy with open source than Microsoft, in fact less trustworthy in general and I don't trust Microsoft as far as I can throw them.

  • Backdoor uses (Score:5, Interesting)

    by AcidFnTonic ( 791034 ) on Saturday March 23, 2024 @11:26AM (#64339013) Homepage

    Basically to me this is a backdoor situation.

    1. Attacker drops their own extra certs into the ca store.
    2. They man in the middle your connection with their cert.
    3. Your EXPLICIT request to use your cert gets IGNORED and the man in the middle goes undetected.

    • If somebody has managed to surreptitiously drop their own certs in to the store, then youâ(TM)ve got bigger problems than them using it to MIT some HTTPS connections. Itâ(TM)s game over.

      • Re: Backdoor uses (Score:5, Interesting)

        by AcidFnTonic ( 791034 ) on Saturday March 23, 2024 @12:34PM (#64339149) Homepage

        Of course but basically this is how a nation state level attacker would nail everyone. Dropping certs into the system store via some government mandated backdoor is feasible. It would silently allow compromise of hosts via the POISONNUT/XKEYSCORE infrastructure Snowden leaked existence of.

        • If there is a backdoor (other than this one), the nation state level attacker could just directly install a keystroke logger or whatever.

          However, this curl backdoor allows a nation state level attacker to lean on a CA under its control, which happens to be already in the system CA store (but not in the user's own trimmed down CA store).

      • If somebody has managed to surreptitiously drop their own certs in to the store

        That's a feature, not a bug. Any CA can insert their own certs that override other certs.

        https://bugzilla.mozilla.org/s... [mozilla.org]

        • What's the point of including the Mozilla bug report, which is obvious satire and was immediately rejected as invalid because the user's proposal did not comply for CA inclusion in Mozilla products?

          Also, in the case of OP's mention and the story, the -cacert flag is explicitly supposed to ignore the certificate store and force the cURL executable to evaluate only the certificate(s) asked. Apple's implementation is changed to always check the certificate store, which can defeat measures like certificate p
          • Honest Achmed's request is just as valid as that of any other CA. The business model is identical, and Achmed is more trustworthy than any company beholden to the NSA.

            I agree that Apple broke the feature. That's not the point. The point is that certificate injection is a feature of the protocol. That's why pinned self-signed certificates are regarded as less secure than certs that are eminently replaceable by a third party. The Apple App Store doesn't even accept apps that use certificate pinning. If A

    • Many corporate network security teams break and inspect SSL. End-point security tools used by IT often inject a generic cert in the CA store to make this seamless. So the MitM is often the IT org. I wouldn't be surprised if Apple's own network security team requested this change. They work for one of the few companies where the OS of all of the user-endpoints are all their company's product.
      • by Nebulo ( 29412 )

        You're probably 99% correct, but Apple does make Windows software as well as needing to test interoperability with Windows systems, so there must be SOME PC clients on their internal network.

      • by stripes ( 3681 )

        While it has been a decade since I worked at Apple, the CoreOS division had an institutional response to the IT team asking for anything. It was laughter. The security team within the CoreOS team doubly so, but only when they could stop laughing long enough to listen to the request first.

        This isn't always healthy, it is part of why it took Apple so long to design a device managment system that made IT departments happy, because they never listen to their own it took much longer to figure out what IT dep

    • Lol, if the attacker can add to your CA store then you got other problems to worry about like backdoored executable files.
  • by The Cat ( 19816 ) on Saturday March 23, 2024 @12:06PM (#64339101)

    "Hey, why do you invest so much time and effort to run Linux?"

    Simple answer:

    "So I have control over my own machine."

    "Why is that so important?"

    "Because if I leave it up to someone else they'll FUCK IT UP and then blame me."

    • My answer would be that I don't.

      Linux is the simpler, easier choice. Maybe the barrier to entry is you have to be generally good with computers but that's my day job anyway, regardless of the OS. Given that, Linux is for me very much the easy choice.

      Actually here's an interesting talk which I think touches n that topic:

      https://www.youtube.com/watch?... [youtube.com]

      "NTFS isn't really that bad", which is a guy debugging glacial git performance on Windows, previously assumed to be the fault of NTFS. It's not, and a good d

  • My business computers are centrally managed. One the things you can do is put certificates into the trust store provided by MacOS. If we want to ensure that utilities behave consistently and not allow users to alter the trust configuration, this would be the expected behavior.
    • And that is the expected behavior you will get with all standard calls to curl. But from the summary, when a user specifies the "--cacert" option to curl, the user is explicitly stating that they only want to trust the cert provided by that parameter.
  • There seems to be an obvious solution to anyone who finds themselves in this boat and needing to use MacOS for some reason: build their own stock version of curl and use that. Did someone mention homebrew?

    • Did someone mention homebrew?

      Yes, the guy who filed the bug report. Because building curl from source through Homebrew will still link to Apple's own SSL library, which injects their own certs.

      • by mrsam ( 12205 )

        What about OpenSSL, is it available from homebrew? Sounds like it's time to build OpenSSL from source, and link curl to it.

  • by organgtool ( 966989 ) on Saturday March 23, 2024 @01:25PM (#64339251)
    I'm not surprised at all that Apple modified the behavior of a command-line utility to do something their way, especially since they've had the mentality that they know better than their users for quite some time. However, it really bothers me that they didn't change the version number. Who knows how many poor bastards will be banging their heads against the wall trying to troubleshoot why curl on their Mac isn't acting like the same version of curl on their other devices or the same version that they built themselves. This is a pet peeve of mine: any time you change any code, you modify the version number. At best Apple was being lazy and at worst they're being deceptive, but neither is a good look.
  • by bill_mcgonigle ( 4333 ) * on Saturday March 23, 2024 @03:09PM (#64339427) Homepage Journal

    I wonder which dissidents' comms app depended on -cacert for internal security.

    • by sl3xd ( 111641 )

      None. Using https and TLS does little to provide anonymity. Using cURL in such a scenario is little more than a straw man that simply isn't a plausible use case when we have vetted tools for dissidents like the Tor Browser Suite, Signal, and I'm sure others I'm less familiar with.

  • Overriding the behavior of cURL like this is dangerous and should be treated as a security vulnerability.

    Over the years we occasionally see some interesting things pop out of distributing trust anchors to clients. Every once in a while get complaints about failures caused by malware and "security" software that has installed its own roots into the OS cert store in order to MITM all of your traffic. I would say about a quarter of the time the customer was completely oblivious to what was going on.

  • Have other Apple-supplied HTTPS client components also been checked for this sneaky wire-tapping enablement?

    Nevertheless, this only needs to combine with a hidden shim proxy to enable man-in-the-middle attacks, with susceptibility to wire fraud and content tampering.

    Also, does the Mac manpage for curl disclose this modified effect of -cacert? If not, then the software is being fraudulently misrepresented.

    And on a whole different note, is it possible Apple received a National Security Letter (NSL) c
    • by sl3xd ( 111641 )

      Not only does the Mac manage disclose the behavior of -cacert, so does the Linux manage, and the manage on man7.org [man7.org], and curl.se [curl.se]

      Additionally, the macOS CA keystores are easily searchable, verifiable, and modifiable. If you want to go to your system, remove all of the CA Certificates and verify that -cacert doesn't verify after deleting keys, you can do that.

      You can also clone the source code Apple publishes for their fork of cURL [github.com] - which they do for every patch of macOS.

      I dunno... part of me wonders if it's

  • This isn't "we changed -x to -y, update your scripts" - they fundamentally broke the feature.
  • Microsoft just puts cURL in their system but doesn't bother to update it for months even when there are known vulnerabilities. For added measure, if you update it yourself chances are you'll break things. So you get the join of your security group screaming fix it as you just have to keep reminding them you can't. Then Microsoft eventually patches it and months down road after you get to repeat the whole situation again.

  • You want apple products? Then you will do things the Apple way, or the highway. No use in expecting apple to do anything sensible. They ought to be broken up forcefully, like other asshole corps have been forced to break up by the government. In any case, if you don't want this kind of crap, don't use apple. Simple.
  • I believe it was Jake from HTTP 203 that once asked / argued Apple's Safari is the new Internet Explorer. He argued Safari deviates from standards, lags behind on implementing new standards, etc. much like IE did back in the day. Causing needless overhead during development. I guess this 'philosophy' isn't limited to their web browser. I regularly encounter problems on macOS. Things like `realpath`, `date`, `grep`, etc. work differently, or is simply not supported.

He has not acquired a fortune; the fortune has acquired him. -- Bion

Working...