Curl is a ubiquitous network transfer utility. It's on desktops, laptops, servers, vehicles, and appliances. Securing curl is important because its primary job is to handle data coming in from a network. Unfortunately, all of the networking code in curl is written in C, which is not memory safe.
We got in touch with curl's maintainer, Daniel Stenberg, to talk about how we might help protect curl's core HTTP and TLS networking code from memory safety vulnerabilities. Daniel had a lot of great questions about what we had in mind, and he patiently answered a lot our questions. We quickly realized we were talking to a thoughtful, cautiously progressive maintainer. He was willing to hear us out and consider significant changes, but he would need a plan that was not overly disruptive to existing users.
What We've Done
We contracted with Daniel integrate the Hyper HTTP library into curl. ISRG engineer Jacob Hoffman-Andrew integrated the Rustls TLS library into curl.
Today curl users can choose to build curl with Hyper and Rustls.
Collecting feedback from people using the Hyper an Rustls back-ends is our priority as we work to convince organizations distributing curl to switch to the safer back-ends.
From our Blog
Memory safety vulnerabilities represent one of the biggest threats to Internet security. As such, we at ISRG are interested in finding ways to make the most heavily relied-upon software on the Internet memory safe.