if one didn't know better, one might think you were being serious

If it was Gentoo emerge and Arch pacman, I'd be with you :-) When it's some of the more mature projects, I give them a little more credence.

Also, every script-based web framework under the sun includes libcurl, which means that Facebook, Twitter, and a number of other large sites that are known to actually contribute patches back, have been using it. Thus, I'd trust libcurl over my own implementation on top of first principles.

I would be very surprised if it had inherent security flaws!

And here, the context was assumed as "...that are any worse than the Windows libraries" -- the fact that it's connected to the internet is, in itself, an inherent security flaw :-)

If it was Gentoo emerge and Arch pacman, I'd be with you :-) When it's some of the more mature projects, I give them a little more credence.

Also, every script-based web framework under the sun includes libcurl, which means that Facebook, Twitter, and a number of other large sites that are known to actually contribute patches back, have been using it. Thus, I'd trust libcurl over my own implementation on top of first principles.

So... you think that somehow it might have more eyes on it? I have no doubt that people contribute patches, but looking at the github I can see that there are 4 main developers who make up 99% of all commits. This is the SAME problem OpenSSL had, and you can recall how secure that "widely used" library turned out.

More eyes doesn't mean people are actually looking at it. and while it is nice in theory to claim that more eyes means more chances to spot the issues... most of these appear to be just feature additions, not necessarily security reviews and enhancements.

I am not saying one should implement their own SSL, in fact I have stated otherwise above. But, you already HAVE an implementation in place on windows, which gets all the benefits of windows security updates, and more. You do not need to use yet another one, where you will likely just drop in the DLL and never update it (or worse, static link it). That and I happen to know that WinHTTP HAS BEEN security audited. I cannot say the same about libcurl (and the same cannot be said about OpenSSL, which is in the process of but has not been completely, security reviewed).

This is the SAME problem OpenSSL had, and you can recall how secure that "widely used" library turned out.

Yes. As I said: no worse than other libraries. It's not like Windows (or AIX, or Solaris, or any other alternative implementation) has been any better.

If you're targeting Windows only, and like the Windows API, the suggestion to stick with the Windows system libraries is fine -- I'm not against that at all.

So I set up libCurl, and wow - it's awesome. I don't know why I've not been using it already. I don't mind not being able to use my existing socket code; libcurl is amazingly simple to use and a lot more configurable than I thought it was.

Security isn't really a concern for me, since I'm only using it as an HTTP[S] client, and I'm not sending or receiving particularly sensitive data. I know ot should be a concern, but... meh

EDIT: Share and enjoy:

• https://www.dropbox.com/s/n2ccfcl2i307w7c/PWebRequest.h?dl=0
• https://www.dropbox.com/s/rgekny0gmsb7644/PWebRequest.cpp?dl=0
• https://www.dropbox.com/s/r7gv0dd47ww4h6n/PWebRequestFactory.h?dl=0
• https://www.dropbox.com/s/obweuojfrxxxggc/PWebRequestFactory.cpp?dl=0

Cheers,

Steve

Evil Steve, Thanks for sharing!

An even better way to share code is to use a github gist, or just create a free github repository and check the code in.
To create a public gist, go to gist.github.com

That requires more effort than just pasting a Dropbox link though ;)