Re: Windows Peer Verification

From:	Pádraic Brady	Date:	Mon, 03 Feb 2014 19:33:54 +0000
Subject:	Re: Windows Peer Verification
References:	1 2 3 4	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Hi,

On 3 February 2014 18:59, Sanford Whiteman
<[email protected]> wrote:
>> Personally, I say no. If people are going to programmatically use encrypted
>> stream transfers they need to at the very least understand the basics of
>> the CA system. We shouldn't subsidize insecurity, and it's trivially easy
>> to procure a CA file.
>
> That's a double standard. You're saying _Windows_ users need to "at
> the very least understand" while other users don't need to understand
> it at all, because It Just Works.
>
> And anyway I'm not in agreement that if people are going to use
> outbound encryption -- if they are going to simply call a PHP function
> -- they need to understand how to update their local CA bundle. I
> would think that, the majority of the time, users are either [a]
> loading a provided "PHP binding" (.PHP file) for a public API or [b]
> copying-and-pasting boilerplate code from API documentation and, just
> speaking realistically, you should not expect them to know what's
> going on under the hood. You can have a relatively good understanding
> of HTTP (without the S) and when your service says "now you must use
> encryption" there shouldn't be a big learning curve on the user side.

I agree absolutely. For better or worse, we can't expect programmers
to become security experts just because we wish it. I've already noted
a problem with programmers not adopting a simple year-old
disable_compression SSL context option in the wild, and that's in a
population of open source code that has countless experienced
programmers. There may be a minimum bar, but I think people
overestimate how many programmers can jump over it. In that context, a
bit of smart subsidising harms nobody and helps many. One could argue
that setting CN_match on a SSL context is trivial, but then this is
something I saw less than 4 months ago:

"Verify host name for SSL requests – Requests is now the first and
only PHP standalone HTTP library to fully verify SSL hostnames even
with socket connections. This includes both SNI support and common
name checking."

Subsidising the trivial is not a bad thing ;).

Paddy

--
Pádraic Brady

http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team
Zend Framework PHP-FIG Representative


   

Thread (53 messages)

• Daniel LowreyMon, 03 Feb 2014 18:08:26 +0000
  • Pierre JoyeMon, 03 Feb 2014 18:25:33 +0000
    • Daniel LowreyMon, 03 Feb 2014 18:46:38 +0000
      • Pierre JoyeMon, 03 Feb 2014 18:49:33 +0000
        • Ferenc KovacsMon, 03 Feb 2014 19:00:44 +0000
      • Sanford WhitemanMon, 03 Feb 2014 18:59:38 +0000
        • Pádraic BradyMon, 03 Feb 2014 19:33:54 +0000
  • Sanford WhitemanMon, 03 Feb 2014 18:35:22 +0000
  • Chris WrightSat, 22 Feb 2014 00:31:28 +0000
    • Daniel LowreySat, 22 Feb 2014 00:58:44 +0000
    • Pierre JoyeSat, 22 Feb 2014 08:30:11 +0000
      • Chris WrightSat, 22 Feb 2014 10:51:14 +0000
        • Daniel LowreySat, 22 Feb 2014 13:12:40 +0000
        • Pierre JoyeSat, 22 Feb 2014 13:19:27 +0000
          • Chris WrightSat, 22 Feb 2014 22:59:30 +0000
          • Jakub ZelenkaSun, 23 Feb 2014 15:25:27 +0000
    • Ferenc KovacsTue, 25 Feb 2014 16:38:51 +0000
    • Chris WrightWed, 26 Feb 2014 09:48:38 +0000
      • Anatol BelskiWed, 26 Feb 2014 10:39:04 +0000
        • Chris WrightWed, 26 Feb 2014 11:09:31 +0000
          • Anatol BelskiWed, 26 Feb 2014 11:35:07 +0000
            • Chris WrightWed, 26 Feb 2014 11:57:27 +0000
              • Anatol BelskiWed, 26 Feb 2014 15:37:05 +0000
                • Chris WrightSun, 02 Mar 2014 21:07:19 +0000
• Daniel LowreyMon, 03 Feb 2014 19:19:36 +0000Re: Windows Peer Verification
  • Daniel LowreyMon, 03 Feb 2014 19:27:01 +0000
    • Pierre JoyeMon, 03 Feb 2014 19:39:31 +0000Re: Re: Windows Peer Verification
  • Sanford WhitemanMon, 03 Feb 2014 19:33:39 +0000Re: Re: Windows Peer Verification
    • Daniel LowreyMon, 03 Feb 2014 19:44:01 +0000
      • Sanford WhitemanMon, 03 Feb 2014 20:34:38 +0000
      • Daniel LowreyMon, 03 Feb 2014 21:45:44 +0000
        • Sanford WhitemanMon, 03 Feb 2014 22:17:26 +0000
          • Sanford WhitemanMon, 03 Feb 2014 22:21:08 +0000
          • Pádraic BradyMon, 03 Feb 2014 23:41:02 +0000
            • Sanford WhitemanMon, 03 Feb 2014 23:56:46 +0000
              • Pádraic BradyTue, 04 Feb 2014 00:29:29 +0000
                • Sanford WhitemanTue, 04 Feb 2014 00:32:39 +0000
            • Sanford WhitemanTue, 04 Feb 2014 00:05:03 +0000
              • Sanford WhitemanTue, 04 Feb 2014 00:36:12 +0000
        • Pierre JoyeTue, 04 Feb 2014 05:46:47 +0000
          • Sanford WhitemanTue, 04 Feb 2014 05:58:40 +0000
            • Pierre JoyeTue, 04 Feb 2014 06:14:43 +0000
              • Lester CaineTue, 04 Feb 2014 07:38:31 +0000
                • Pierre JoyeTue, 04 Feb 2014 07:39:14 +0000
                  • Lester CaineTue, 04 Feb 2014 07:57:24 +0000
                    • Pierre JoyeTue, 04 Feb 2014 08:00:12 +0000
                      • Lester CaineTue, 04 Feb 2014 08:29:53 +0000
                        • Pierre JoyeTue, 04 Feb 2014 08:35:19 +0000
                          • Lester CaineTue, 04 Feb 2014 09:03:02 +0000
                            • Pierre JoyeTue, 04 Feb 2014 09:24:06 +0000
                              • Sanford WhitemanThu, 06 Feb 2014 06:13:39 +0000
                                • Ferenc KovacsThu, 06 Feb 2014 14:09:49 +0000
  • Sanford WhitemanMon, 03 Feb 2014 19:37:49 +0000Re: Re: Windows Peer Verification