Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:69219 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 53619 invoked from network); 19 Sep 2013 01:07:00 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Sep 2013 01:07:00 -0000 Authentication-Results: pb1.pair.com smtp.mail=tjerk.meesters@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=tjerk.meesters@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.128.43 as permitted sender) X-PHP-List-Original-Sender: tjerk.meesters@gmail.com X-Host-Fingerprint: 209.85.128.43 mail-qe0-f43.google.com Received: from [209.85.128.43] ([209.85.128.43:38282] helo=mail-qe0-f43.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 27/34-29009-23E4A325 for ; Wed, 18 Sep 2013 21:06:59 -0400 Received: by mail-qe0-f43.google.com with SMTP id gh4so5313018qeb.30 for ; Wed, 18 Sep 2013 18:06:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=ownAK19wxbGQ21LOEraUrQ8Cn4bLVDQOFi2/4X+vKyI=; b=I/9CNV0jqKM1Giqxn3lIWEP8vU/4N3h/+VlmkHWLruULpkVHZANXG56uQsqot4EFE0 ONmTsdQiNa+X1374beVt6tdwuzrvSvVBMFBk+rzWx5ZfnvIeQLELkgyOa+w293uogIP6 2+Ct789leJ3uylqmQEti+uioBUt0Z+x1JY3NVBjAxoUCe4W+qQrivA3P8z64S2ZJsDsJ rPOcIWb8GuiIKHJU3uOFG3Yub6rspIUw+IWmusD/zxbp/wWujbaL9PFmqtLBTVYJipdW mFEeOrbxvje0TmZkI91moWVganHtmcY3oHhNe+zUsIDZTcNJMC/ou8VNzZlgFQRuaAuq 3B9g== MIME-Version: 1.0 X-Received: by 10.49.47.84 with SMTP id b20mr22948873qen.83.1379552816130; Wed, 18 Sep 2013 18:06:56 -0700 (PDT) Sender: tjerk.meesters@gmail.com Received: by 10.49.61.227 with HTTP; Wed, 18 Sep 2013 18:06:56 -0700 (PDT) In-Reply-To: <523A466C.4070903@gmail.com> References: <523A466C.4070903@gmail.com> Date: Thu, 19 Sep 2013 09:06:56 +0800 X-Google-Sender-Auth: 2o-HYIQ8bHBOYw5aV1hpkvnPuoE Message-ID: To: =?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?= Cc: Daniel Lowrey , johannes@schlueters.dot.de, addw@phcomp.dot.co.uk, "internals@lists.php.net" Content-Type: multipart/alternative; boundary=047d7b33d3748df18504e6b22b6e Subject: Re: [PHP-DEV] Re: Re: PHP Crypt functions - security audit From: datibbaw@php.net (Tjerk Anne Meesters) --047d7b33d3748df18504e6b22b6e Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On Thu, Sep 19, 2013 at 8:33 AM, =C1ngel Gonz=E1lez wro= te: > On 16/09/13 15:58, Daniel Lowrey wrote: > >> More generally, PHP's stream encryption aspects are quite poorly >> documented. For example, https:// streams disable peer verification by >> default. While I understand that this is necessary to provide the easies= t >> possible user experience for things like `file_get_contents(" >> https://somesite.com")`, it's also horribly insecure. 99% of people usin= g >> tools like this won't know anything about this "feature" and won't reali= ze >> that their stream transfers are totally vulnerable to Man-in-the-Middle >> attacks by default. >> > Count me as one of those that didn't know https:// streams didn't verify > certificates. :) > *I consider this a bug* I understand that it's easier to code not > verifying the > peer, and the hostname may not be available when you are stacking ssl ove= r > a stream. > But file_get_contents("https://...**") is *precisely* the case that > should work right > out of the box. To be practical, verifying certificates requires an up-to-date CA bundle to be shipped with PHP; perhaps this is a simple thing to do, I'm not sure. This is an oft seen scenario for cURL; the developer would see the certificate issue, search online and continue with `CURLOPT_VERIFY_PEER =3D= > 0`. That said, at least cURL is configured to check the certificate by default. > > > > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > --=20 -- Tjerk --047d7b33d3748df18504e6b22b6e--