Lets make something clear from the very start: JUST BECAUSE THERE IS https:// IN THE URL OF THE REMOTE SERVICE IT DOES NOT MEAN THE CONNECTION IS SECURE! I am sorry for the tone of this post but i am enraged by how popular this issue is online. If you ask why i suggest a little experiment [involving changing your hosts file and using a self-signed certificate].

The issue he spotlights is all too common - a server serves up SSL pages but doesn't actually verify the certificate in the process. He gives a bad example of how some scripts handle this issue using the CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST to turn off this verification - a very bad idea. To protect yourself from any kind of man-in-the-middle or DNS hijack issues, you should leave these on.

In this article you will learn how to write a login application in PHP using Ajax and SSL/TLS in two ways either using aSSL (Ajax Server Secure Layer), a library that implements a technology similar to SSL without HTTPS or a simple Ajax and OpenSSL, an open source implementation of the SSL and TLS protocols.

They start with the aSSL method and link you to a download of the tool as well as some sample code to help you get started passing data to it via the session. The second example shows the OpenSSL method, mostly consisting of checking on the server side of the certificate that's passed along with the request.

The tutorial gives you a step-by-step process to follow with commands and configuration changes every step of the way:

• Create a certificate
• Generate a key
• Sign the key with the certificate
• Copy the keys to the right directory
• Make configuration changes for the SSL connections
• Connect to the remote HTTPS web service

If you're using PHP, you can also use the OpenSSL and SOAP clients with the SSL libraries to make requests to secure remote resources.

This guide will lead you through creating a secure ssl based webserver to be able to stream your multimedia across the World Wide Web. Before embarking on this journey I would highly recommend reading this documentation in it's fullest before executing any of it. You may find some pointers in the tips and tweaks section that you can make during installation that would make this install even easier and make it a one time install.

There are a few requirements they mention, but once that's all arranged, it's a pretty simple setup overall. It uses the Jinzora software to provide the media streaming/management component of the setup...]]> Wed, 08 Feb 2006 07:02:10 -0600 http://www.phpdeveloper.org/news/4800 http://www.phpdeveloper.org/news/4800 another new tutorial - this time it concerns the safe handling of passwords in your PHP scripts.

If you're ever going to create a script that involves users or passwords, which is very likely, you'll probably run across security issues with handling the passwords. You can't just store the passwords in clear text in your database, and great care must be used when managing the passwords (for example during login).

In this article I will show you everything that you have to think about when handling passwords in PHP, and how to solve some common problems.

They offer suggestions like storying them hashed (md5 or sha1), protecting them with a salt, SSL certificates, and how to manage their use with things like cookies and sessions.]]> Mon, 06 Feb 2006 07:17:10 -0600