Hi,
On 3 February 2014 18:59, Sanford Whiteman
<[email protected]> wrote:
>> Personally, I say no. If people are going to programmatically use encrypted
>> stream transfers they need to at the very least understand the basics of
>> the CA system. We shouldn't subsidize insecurity, and it's trivially easy
>> to procure a CA file.
>
> That's a double standard. You're saying _Windows_ users need to "at
> the very least understand" while other users don't need to understand
> it at all, because It Just Works.
>
> And anyway I'm not in agreement that if people are going to use
> outbound encryption -- if they are going to simply call a PHP function
> -- they need to understand how to update their local CA bundle. I
> would think that, the majority of the time, users are either [a]
> loading a provided "PHP binding" (.PHP file) for a public API or [b]
> copying-and-pasting boilerplate code from API documentation and, just
> speaking realistically, you should not expect them to know what's
> going on under the hood. You can have a relatively good understanding
> of HTTP (without the S) and when your service says "now you must use
> encryption" there shouldn't be a big learning curve on the user side.
I agree absolutely. For better or worse, we can't expect programmers
to become security experts just because we wish it. I've already noted
a problem with programmers not adopting a simple year-old
disable_compression SSL context option in the wild, and that's in a
population of open source code that has countless experienced
programmers. There may be a minimum bar, but I think people
overestimate how many programmers can jump over it. In that context, a
bit of smart subsidising harms nobody and helps many. One could argue
that setting CN_match on a SSL context is trivial, but then this is
something I saw less than 4 months ago:
"Verify host name for SSL requests – Requests is now the first and
only PHP standalone HTTP library to fully verify SSL hostnames even
with socket connections. This includes both SNI support and common
name checking."
Subsidising the trivial is not a bad thing ;).
Paddy
--
Pádraic Brady
http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team
Zend Framework PHP-FIG Representative