Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72157
Return-Path: <padraic.brady@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 91876 invoked from network); 3 Feb 2014 23:41:06 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Feb 2014 23:41:06 -0000
Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.176 as permitted sender)
X-PHP-List-Original-Sender: padraic.brady@gmail.com
X-Host-Fingerprint: 209.85.160.176 mail-yk0-f176.google.com  
Received: from [209.85.160.176] ([209.85.160.176:47652] helo=mail-yk0-f176.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 7F/7F-35654-11920F25 for <internals@lists.php.net>; Mon, 03 Feb 2014 18:41:05 -0500
Received: by mail-yk0-f176.google.com with SMTP id 131so17991886ykp.7
        for <internals@lists.php.net>; Mon, 03 Feb 2014 15:41:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding;
        bh=HJEeuJkwGLflzMyy6Sa25JOkZYYRvPUvqaBg0bY6NNY=;
        b=ZLPMXNVnrTbiXg4PyPSokiC6SWcTlOr5XqxT5gDa9ngTjsIZBoj/n9QT13h3+QQ5jj
         4KH531Y5jALkNFuir8ooWvpSXYQWUcBytyDfUl2iGzG7E1WOhtMtGNdvELeuE+Hy0KD0
         mCMNoJABqMFvQMon0zi/XAAQelmhlnNLmcvkn3k5IQkGcONReDUiNUBp4LaI3fzVMf0r
         AEsQaJMgiD49h6lo2UepmmBYdwMHb5yr5KqoLsTHi8Pp+161LUxEn9yRoctiAo6Y05CC
         ytBIZdazhIADBS3MBLuif1YaYFnheUvYzwVBt0jg+MC01iza6J7Uozm9Ka9oEKzRHvet
         neyQ==
MIME-Version: 1.0
X-Received: by 10.236.128.97 with SMTP id e61mr35905416yhi.43.1391470862579;
 Mon, 03 Feb 2014 15:41:02 -0800 (PST)
Received: by 10.170.215.130 with HTTP; Mon, 3 Feb 2014 15:41:02 -0800 (PST)
In-Reply-To: <10337340.20140203171726@cypressintegrated.com>
References: <CAH8Mpn=Kw9CCmpiXm-UE2s=GKFroTGczTr=ENczuAeiTCH6QwQ@mail.gmail.com>
	<344075933.20140203143339@figureone.com>
	<CAH8MpnkuFDNzYi4enqqtQcmis08LyTWojV3DZrc_Mwim=aqvRQ@mail.gmail.com>
	<CAH8MpnnXag49Yw9yE2p=+h3X2caz6wwfiT8kLf8H_WxrwtjVNw@mail.gmail.com>
	<10337340.20140203171726@cypressintegrated.com>
Date: Mon, 3 Feb 2014 23:41:02 +0000
Message-ID: <CALwr1Gmy2amRoWPpfmY41LJboAqnJp0pFcgYN0owwuAy_6fP4g@mail.gmail.com>
To: Sanford Whiteman <swhitemanlistens-software@cypressintegrated.com>
Cc: Daniel Lowrey <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] Re: Windows Peer Verification
From: padraic.brady@gmail.com (=?UTF-8?Q?P=C3=A1draic_Brady?=)

Hi,

On 3 February 2014 22:17, Sanford Whiteman
<swhitemanlistens-software@cypressintegrated.com> wrote:
> I think you need to get more experience with the range of third-party
> code that doesn't turn on verify_peer. And frankly it is PHP's fault
> that most code doesn't do so, since PHP was insecure by default and
> never threw an error in the past. Heaping blame on library authors is
> absurd. If someone is writing to the Twitter API, they might not know

I'm sorry, but this is simply outrageous. It is a programmer's
responsibility to code securely. It's not absurd, it's reality. If you
can't program securely, you shouldn't be programming. This is not some
fantasy world where I should pity programmers for their ignorance.
It's a world were security flaws can cost companies money, endanger
user's privacy and THEIR money, where even minor mistakes can have
devastating consequences to privacy and compliance with national and
international laws. I fire programmers who can't learn secure coding,
but thankfully that's almost unheard of ;). A little training goes a
long way. My next favourite excuse is the one where Man-In-The-Middle
attacks are rare theoretical occurances and so why bother - a belief
in utter defiance of how the internet works. I bet the NSA gets a real
chuckle out of that one. What's the next excuse? Right, it's all PHP's
fault.

Your blaming of PHP is significantly misplaced. It is not solely
responsible for programmer malpractice. There are programmers out
there, right this moment, with code all across Github doing one very
unusual thing. They are deliberately disabling peer verification in
cURL where it is enabled by default. They WILL do the same with PHP
streams/sockets. The buck stops at the programmer's feet and that's
it. All PHP can do is promote and encourage best practices, it can
never enforce them.

Paddy

--
P=C3=A1draic Brady

http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team
Zend Framework PHP-FIG Representative