News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Pádraic Brady:
Securely Distributing PHARs Pitfalls and Solutions
March 04, 2015 @ 11:46:10

Pádraic Brady has a new article on his site talking about the secure distribution of phars (PHP archive files) including some of the common pitfalls and potential solutions.

The PHAR ecosystem has become a separate distribution mechanism for PHP code, distinct from what we usually consider PHP packages via PEAR and Composer. However, they still suffer from all of the same problems, namely the persisting whiff of security weaknesses in how their distribution is designed. [...] [Several security-related issues introduce an element of risk that the code you receive is not actually the code the author intended to distribute, i.e. it may decide to go do some crazy things that spell bad news when executed.

He shares some of the steps he's taken to secure his own phar for a CLI application with things like:

  • Distribute the PHAR over HTTPS
  • Enforce TLS verification
  • Sign your PHAR with a private key
  • Avoid PHAR Installer scripts
  • Manage Self-Updates securely

He finishes the post with one of the most important parts of the article - a reminder to do all of the things on the list above consistently.

This is not an outrageous outcome to introducing proper security on PHAR downloads. Go forth and do it for all PHARs. Help create an environment where distributing and installing code in secure ways is the normal expected thing to do.
0 comments voice your opinion now!
secure distribution phar solution tls https privatekey installer selfupdates

Link: http://blog.astrumfutura.com/2015/03/securely-distributing-phars-pitfalls-and-solutions/

Pádraic Brady:
A Secure Wrapper For Downloading HTTPS Resources Using file_get_contents()
February 05, 2015 @ 09:57:41

Pádraic Brady has a new post today sharing a tool he's created to enhance the current PHP file_get_contents function with a safer, more secure alternative, the humbug_get_contents library.

With the release of PHP 5.6, there was a significant security improvement in how PHP handled SSL/TLS protections, namely that it enabled a secure set of default options. Previously, SSL/TLS was disabled by default. No peer verification, no certificate checking, and a lack of configuration options had combined to create a serious problem. You can find this problem easily by searching for file_get_contents() on github and locating a call to this function used to retrieve any HTTP resource while also having zero configuration.

An excellent example of this is Composer which uses file_get_contents() instead of curl to ensure maximum compatibility with using systems. Of course, this beggars a question. If all the SSL/TLS protections are off by default in PHP 5.3-5.5…what's stopping some irksome hacker from injecting bad code into our Composer downloads? Answer: Nothing.

The package provides a drop-in solution to the possible man-in-the-middle issues that could be caused by the native functionality. It enhances the current function with additional TLS/SSL checking for HTTPS requests on current PHP versions.

0 comments voice your opinion now!
filegetcontents security wrapper https tls ssl library

Link: http://blog.astrumfutura.com/2015/02/a-secure-wrapper-for-downloading-https-resources-using-file_get_contents/

Docnet.nu:
SSL And PHP Streams - Part 1 You Are Doing It Wrong™
June 26, 2014 @ 09:54:40

On the Docnet.nu blog today they've kicked off a series looking at the use of streams and SSL in PHP and asking if you're doing it wrong in your current applications. The focus is more on the security aspect, breaking it down into a set of common problems (and how to work around them).

The upcoming PHP 5.6 release brings with it a number of improvements to encrypted PHP streams, both internally and externally. In these articles I will try to cover the most important changes, and how they affect your code. This article will focus on how to get the best security level in code that needs to be run on PHP versions below 5.6, and highlighting some of the gaps in the currently available functionality. Version 5.4.13 is the earliest version that supports all the options described below - and if you are running something earlier than this, then you really should consider upgrading to at least the latest version of the 5.4 series 1.

Their list is made up of six different problems:

  • Problem 1: Peer Verification
  • Problem 2: Cipher Lists
  • Problem 3: Protocol Support
  • Problem 4: TLS Compression Attack Vulnerability
  • Problem 5: Cipher Order
  • Problem 6: TLS Renegotiation Attacks

Each problem comes with a brief description of what it is and why it's an issues. Some also include code snippets showing how to correct the issue, usually relatively simply.

0 comments voice your opinion now!
streams problem list solution https tutorial

Link: http://www.docnet.nu/tech-portal/2014/06/26/ssl-and-php-streams-part-1-you-are-doing-it-wrongtm/C0

SitePoint Web Blog:
HTTPS Basics
April 02, 2014 @ 09:06:08

If you're relatively new to web development, you might not know exactly what kinds of benefits that using an HTTPS connection might provide. In this new article from the SitePoint PHP blog, Mufleeh Sadique covers some of the basics of HTTPS and gives some reasons why to "go HTTPS" in your applications.

Hypertext Transfer Protocol Secure or Hypertext Transfer Protocol over SSL is used for secure communication over a network, or perhaps more importantly - over the Internet. You would see https:// in the URI and a lock icon in the browser when you access a page that uses HTTPS. [...] If you ever wondered whether and how to go HTTPS with your website, we'll attempt to clear this up in this article by briefly describing what HTTPS is about, and why and how to implement it.

He's broken the rest of the article up into a few different sections. The first answers the question "why HTTPS" with a few reasons including the most important - encrypted communication. In the second section, he starts showing you how to "go HTTPS" using a self-signed certificate to start. With the certificate installed, he moves into the last part, ensuring your application is always using the HTTPS version and redirecting anything else.

0 comments voice your opinion now!
https introduction why how selfsigned certificate install configure

Link: http://www.sitepoint.com/https-basics

NetTuts.com:
HTTP The Protocol Every Web Developer Must Know - Part 2
April 29, 2013 @ 15:07:21

NetTus.com has followed up their previous article covering some of the basics of the HTTP protocol with this new post, part 2 of the series. They suggest that HTTP, the messaging format of the web, is the one protocol that every web developer should know.

In my previous article, we covered some of HTTP's basics, such as the URL scheme, status codes and request/response headers. With that as our foundation, we will look at the finer aspects of HTTP, like connection handling, authentication and HTTP caching. These topics are fairly extensive, but we'll cover the most important bits.

In this article, they talk about things like the HTTPS secure version of HTTP, server-side connection handling, identification/authorization and working with caching and cache control headers.

0 comments voice your opinion now!
http developer knowledge https authentication connections caching

Link: http://net.tutsplus.com/tutorials/tools-and-tips/http-the-protocol-every-web-developer-must-know-part-2

Christopher Kunz's Blog:
Now serving SPDY
May 03, 2012 @ 08:14:08

Christopher Kunz is trying out the new web acceleration tool Google recently released (SPDY) when his site is served under HTTPS (warning, self-signed cert).

The reason this posting lands in the PHP category is that I want to have a playground testing PHP applications with mod_spdy. Currently (and probably also in the future), this machine uses mod_php instead of php_(f)cgi(d) - this is not recommended for interoperation with mod_spdy. To test the real-life impact of the possible thread safety issues, I am using my private pages as a sandbox.

He has two other PHP-based applications running with the accelerator - a Gallery3 install and a WordPress site. SPDY ("speedy") was released by Google and is similar to HTTP but with a focus on minimized latency and heightened web security.

0 comments voice your opinion now!
spdy google acceleration tool google https


PHPBuilder.com:
Transfer Data via Multiple Protocols with Libcurl
September 19, 2011 @ 12:03:23

On PHPBuilder.com today there's a new tutorial showing how to use libcurl to communicate with multiple protocols like FTP, HTTP, HTTPS, SMTP and STMPS. The libcurl library that can be compiled in or installed as a shared module in your PHP install to provide enhanced networking abilities.

As I wrote in my PHP multithreading with cURL article, the libcurl is a free and easy-to-use client-side URL transfer library, supporting DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP. PHP supports the libcurl library which allows you to connect and communicate to many different types of servers with many different types of protocols.

The tutorial focuses on two different types of connections (well, four really) - FTP/FTPS and HTTP/HTTPS - and how to transfer data across each. Some code is included to create a (procedural) tool to send an uploaded file to a remote site.

0 comments voice your opinion now!
tutorial libcurl ftp ftps http https networking multiple protocol


Matthew Weier O'Phinney's Blog:
Making Zend Server Available Via SSL Only
January 07, 2011 @ 09:46:58

Matthew Weier O'Phinney has a new post to his blog today about making your Zend Server instance a bit more secure by taking the admin GUI and forcing it to be HTTPS-only (instead of the default HTTP & HTTPS).

In light of the recent remote PHP exploit, I decided to update a couple servers I manage to ensure they weren't vulnerable. In each case, I had been using hand-compiled PHP builds, but decided that I'm simply too busy lately to be trying to maintain updates -- so I decided to install Zend Server. [...] One thing I've never been happy about, however, is that by default Zend Server exposes its administration GUI via both HTTP and HTTPS. Considering that the password gives you access to a lot of sensitive configuration, I want it to be encrypted.

He points out that, since the Zend Server interface runs on a lighttpd instance, it's easy to modify a few config files to change the setting. Adding a few lines to limit the socket it can connect on, the IP address to filter to and a URL filter on anything starting with "/ZendServer/" takes away the HTTP access.

0 comments voice your opinion now!
zendserver http https restrict tutorial


PHP Web Services:
How to configure https for Apache2.2 and consume PHP web services over https
May 24, 2010 @ 08:39:49

New from the PHP Web Services blog today there's a post showing you how to set up Apache 2.2 for HTTPS connections to consume other web services.

The tutorial gives you a step-by-step process to follow with commands and configuration changes every step of the way:

  • Create a certificate
  • Generate a key
  • Sign the key with the certificate
  • Copy the keys to the right directory
  • Make configuration changes for the SSL connections
  • Connect to the remote HTTPS web service

If you're using PHP, you can also use the OpenSSL and SOAP clients with the SSL libraries to make requests to secure remote resources.

0 comments voice your opinion now!
https apache configuration ssl tutorial


DotVoid.com:
Problem with downloading files with Internet Explorer over HTTPS
October 01, 2009 @ 09:48:28

On the DotVoid.com blog Danne shares a quick tip on forcing downloads over HTTPS to Internet Explorer (which, of course, has to be difficult about it).

The problem is that Internet Explorer does not handle file dowloads without caching over https very well. Or at all. According to knowledge articles on Microsofts website the problem occurs when having one or two of the http headers. [...] Previously I have have just omitted the http header "Pragma: nocache" for IE but it seems it does not always help.

So the fix is relatively simple - rely on the $_SERVER['HTTP_USER_AGENT'] value to tell if it's an IR browser or not. If it is, "Pragma: cache" works. If not, stick with "Pragma: no-cache".

0 comments voice your opinion now!
download file ie browser https tutorial



Community Events

Don't see your event here?
Let us know!


community extension example introduction library opinion version laravel xdebug performance api release php7 series conference symfony2 podcast interview voicesoftheelephpant framework

All content copyright, 2015 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework