If CURLOPT_SSL_VERIFYPEER is false, is the data transfer no longer secure?

Question

I\'ve recently run into a problem posting data to a server whose SSL certificate was updated. I did some research and I found that when CURLOPT_SSL_VERIFYPEER is set to fals

Answer 1

If you disable CURLOPT_SSL_VERIFYPEER, no verification of the certificate is done (and the value of CURLOPT_SSL_VERIFYHOST is ignored). As a result, this leaves you insecure against man-in-the-middle attacks. This means you are no longer transmitting the data over a secure connection.

Yes, the data is encrypted, but it's still not secure. You know you are sending to someone, but you have no idea who; you might be sending it to the user's arch enemy (carefully encrypting it so no one other than the attacker can read the data). This is bad. All the encryption in the world isn't much good if you're encrypting it using the attacker's public key.

Bottom line: Don't disable CURLOPT_SSL_VERIFYPEER. It leaves you insecure.

See Security consequences of disabling CURLOPT_SSL_VERIFYHOST (libcurl/openssl) for more on what you need to do to use cURL's SSL support securely.