The most dangerous code: Validating SSL certs in non-browser software (2012) [pdf]

philipwhiuk · 2026-01-27T19:11:15 1769541075

[2012]

The situation has improved somewhat, although some of the underlying libraries have changed little so it's still easy to write insecure TLS.

cURL's API was improved in 7.66.0 for example: https://github.com/curl/curl/pull/4241

But the Java APIs are likely little changed.

samarthr1 · 2026-01-30T05:50:47 1769752247

And, the worst part is that because it is an "application" issue, it is possible that it is going to a "gift that keeps on giving" for a long time.

And the worst part is that most (indian) banks have been using only android/ios for "security" for some time now.