On 16/09/13 15:58, Daniel Lowrey wrote:
More generally, PHP's stream encryption aspects are quite poorly
documented. For example, https:// streams disable peer verification by
default. While I understand that this is necessary to provide the easiest
possible user experience for things like `file_get_contents("
https://somesite.com";)`, it's also horribly insecure. 99% of people using
tools like this won't know anything about this "feature" and won't realize
that their stream transfers are totally vulnerable to Man-in-the-Middle
attacks by default.
Count me as one of those that didn't know https:// streams didn't verify
certificates. :)
*I consider this a bug* I understand that it's easier to code not
verifying the
peer, and the hostname may not be available when you are stacking ssl
over a stream.
But file_get_contents("https://...";) is *precisely* the case that should
work right
out of the box.
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
