The fact that timezone info downloads don't check SSL certs should be made obvious #894
Description
Hi, first of all thank you for this great library!
I noticed that CURLOPT_SSL_VERIFYPEER is set to false for all network requests. While I don't think there are many use cases in which this can be an issue (other than displaying the wrong time to the user), I think under some very specific circumstances it could potentially be problematic - either through an attacker modifying the served timezone DB such that some time-based check in the application passes when it shouldn't, or through some undiscovered vulnerabilities in the code that parses the downloaded data.
For the first case, an extreme example would be affecting time at which x509 certificate validity is checked. It is not a realistic issue, since everyone should be using UTC for that, but hopefully it serves to illustrate what kinds of problems it could potentially cause.
While I think this poses a very minor risk for the majority of applications (I for once actually prefer it being like this since I can build libcurl without the CA bundle), I think it should be clearly stated as a disclaimer in visible places (github readme, docs), so that in the rare cases it does matter, the developers are warned of the potential security implications.