This is an issue which hit me while reading The Most Dangerous Code in the World. The popular cURL library contains an option called
CURLOPT_SSL_VERIFYHOST. The intention of the option is to verify that a given SSL certificate is for the website actually being accessed (and not something a Man In The Middle has provided instead).
While a value of
0 will disable this option, as one might expect, a value of
1 will also disable it;
2 is the correct value. However, many developers intuitively try to set a value of
true actually represented as
1 behind the scenes of many programming languages.
Not surprisingly the cURL library will no longer support setting the
CURLOPT_SSL_VERIFYHOST option to
It still remains as a gentle reminder to the importance of intuitive API design since even the most diligent developers do not always read the documentation.