On Thu, Sep 19, 2013 at 8:33 AM, Ángel González <[email protected]> wrote:
> On 16/09/13 15:58, Daniel Lowrey wrote:
>
>> More generally, PHP's stream encryption aspects are quite poorly
>> documented. For example, https:// streams disable peer verification
>> by
>> default. While I understand that this is necessary to provide the easiest
>> possible user experience for things like `file_get_contents("
>> https://somesite.com")`, it's also
>> horribly insecure. 99% of people using
>> tools like this won't know anything about this "feature" and won't
>> realize
>> that their stream transfers are totally vulnerable to Man-in-the-Middle
>> attacks by default.
>>
> Count me as one of those that didn't know https:// streams
> didn't verify
> certificates. :)
> *I consider this a bug* I understand that it's easier to code not
> verifying the
> peer, and the hostname may not be available when you are stacking ssl over
> a stream.
> But file_get_contents("https://...**") is
> *precisely* the case that
> should work right
> out of the box.
To be practical, verifying certificates requires an up-to-date CA bundle to
be shipped with PHP; perhaps this is a simple thing to do, I'm not sure.
This is an oft seen scenario for cURL; the developer would see the
certificate issue, search online and continue with `CURLOPT_VERIFY_PEER =>
0`. That said, at least cURL is configured to check the certificate by
default.
>
>
>
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
--
Tjerk