Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:69217
Return-Path: <keisial@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 49618 invoked from network); 19 Sep 2013 00:26:53 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 19 Sep 2013 00:26:53 -0000
Authentication-Results: pb1.pair.com smtp.mail=keisial@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=keisial@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.178 as permitted sender)
X-PHP-List-Original-Sender: keisial@gmail.com
X-Host-Fingerprint: 209.85.212.178 mail-wi0-f178.google.com  
Received: from [209.85.212.178] ([209.85.212.178:37759] helo=mail-wi0-f178.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id E6/63-29009-CC44A325 for <internals@lists.php.net>; Wed, 18 Sep 2013 20:26:53 -0400
Received: by mail-wi0-f178.google.com with SMTP id hn9so7289144wib.17
        for <internals@lists.php.net>; Wed, 18 Sep 2013 17:26:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=message-id:date:from:user-agent:mime-version:to:cc:subject
         :references:in-reply-to:content-type:content-transfer-encoding;
        bh=ijNdEe0TZNHFJUk1nMZg3br8mkb9Cr7azU6FOx95HYo=;
        b=nHqmGB0Xg8OFzxizj7yKd8ki8O7MhhU8t6CPyTl1Hdlyml299K8v8l+rV4qIGujglw
         ZjcolSQz3FGA7ZQEy+ncgQtJLz733/w4szAw/bwXt+jBYohx+occndXvzraRrEQFt0Ey
         KnR9OUMamO4A4d7YStfkSywfM+scHPKbvWLoJlvAz8uplYaY09ejMSZPYo8KyPtt/Jz5
         cpb3gje8NsKR8jShiNLB6EJIacf7hZdjetBvyTyuDuLGmmTBPiiLbgOFWJHMGJk1H5yc
         fTEB/wOg0BncLsv2+M6A0Q3YZMFGSjQsw8ZalFNWkWw5Kj9/o+3ZRARhc60Df/6GzhoM
         QiLA==
X-Received: by 10.194.222.2 with SMTP id qi2mr34734109wjc.14.1379550410156;
        Wed, 18 Sep 2013 17:26:50 -0700 (PDT)
Received: from [192.168.1.37] (159.Red-88-15-24.dynamicIP.rima-tde.net. [88.15.24.159])
        by mx.google.com with ESMTPSA id dx7sm5847064wib.8.1969.12.31.16.00.00
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Wed, 18 Sep 2013 17:26:49 -0700 (PDT)
Message-ID: <523A466C.4070903@gmail.com>
Date: Thu, 19 Sep 2013 02:33:48 +0200
User-Agent: Thunderbird
MIME-Version: 1.0
To: Daniel Lowrey <rdlowrey@gmail.com>
CC: johannes@schlueters.dot.de, addw@phcomp.dot.co.uk, 
 "internals@lists.php.net" <internals@lists.php.net>
References: <CAH8MpnnTGD0xAwG1j9sh10EC6XzdscVRLbJzEMG6qWSBK5c17w@mail.gmail.com>
In-Reply-To: <CAH8MpnnTGD0xAwG1j9sh10EC6XzdscVRLbJzEMG6qWSBK5c17w@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Re: Re: PHP Crypt functions - security audit
From: keisial@gmail.com (=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?=)

On 16/09/13 15:58, Daniel Lowrey wrote:
> More generally, PHP's stream encryption aspects are quite poorly
> documented. For example, https:// streams disable peer verification by
> default. While I understand that this is necessary to provide the easiest
> possible user experience for things like `file_get_contents("
> https://somesite.com")`, it's also horribly insecure. 99% of people using
> tools like this won't know anything about this "feature" and won't realize
> that their stream transfers are totally vulnerable to Man-in-the-Middle
> attacks by default.
Count me as one of those that didn't know https:// streams didn't verify 
certificates. :)
*I consider this a bug* I understand that it's easier to code not 
verifying the
peer, and the hostname may not be available when you are stacking ssl 
over a stream.
But file_get_contents("https://...") is *precisely* the case that should 
work right
out of the box.