Prossimo Initiative
curl logo

The Story

Curl is a ubiquitous network transfer utility. It's on desktops, laptops, servers, vehicles, and appliances. Securing curl is important because its primary job is to handle data coming in from a network. Unfortunately, all of the networking code in curl is written in C, which is not memory safe.

We got in touch with curl's maintainer, Daniel Stenberg, to talk about how we might help protect curl's core HTTP and TLS networking code from memory safety vulnerabilities. Daniel had a lot of great questions about what we had in mind, and he patiently answered a lot our questions. We quickly realized we were talking to a thoughtful, cautiously progressive maintainer. He was willing to hear us out and consider significant changes, but he would need a plan that was not overly disruptive to existing users.

What We've Done

Together with Daniel Stenberg, we came up with a plan to add options to build curl with memory-safe HTTP and TLS libraries. For HTTP we chose the Hyper library. For TLS we chose the Rustls library.

We contracted with Daniel to integrate the Hyper HTTP library into curl. ISRG engineer Jacob Hoffman-Andrew integrated the Rustls TLS library into curl.

Today curl users can choose to build curl with Hyper and Rustls.

What's Next

Collecting feedback from people using the Hyper an Rustls back-ends is our priority as we work to convince organizations distributing curl to switch to the safer back-ends.


More from the Prossimo blog

October 9, 2020

Memory Safe ‘curl’ for a More Secure Internet

Memory safety vulnerabilities represent one of the biggest threats to Internet security. As such, we at ISRG are interested in finding ways to make the most heavily relied-upon software on the Internet memory safe.