Insecure curl / https usage

[notr1ch]

The library appears to explicitly disable curl's SSL peer/host checks when a certificate file is not provided in executeRequest:

        // https handling
        if (!empty($this->certificate_file)) {
            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
            curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
            curl_setopt($ch, CURLOPT_CAINFO, $this->certificate_file);
        } else {
            // bypass ssl verification
            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
            curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
        }

This is insecure as it opens the user to a MITM attack and negates the point of using SSL. By default if CURLOPT_CAINFO is not set, curl uses the system CA bundle to verify certificates, so enabling the host and peer verification only when a manual certificate file is specified is incorrect and reduces security.