News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Artur Ejsmont's Blog:
How to properly secure remote API calls over SSL from PHP code
September 19, 2011 @ 13:56:00

Artur Ejsmont has a new post with a passionate call to arms for anyone who thinks that just because their URL has "https" in it, it's secure. He presents his suggestion on how to properly secure SSL API calls for your PHP application.

Lets make something clear from the very start: JUST BECAUSE THERE IS https:// IN THE URL OF THE REMOTE SERVICE IT DOES NOT MEAN THE CONNECTION IS SECURE! I am sorry for the tone of this post but i am enraged by how popular this issue is online. If you ask why i suggest a little experiment [involving changing your hosts file and using a self-signed certificate].

The issue he spotlights is all too common - a server serves up SSL pages but doesn't actually verify the certificate in the process. He gives a bad example of how some scripts handle this issue using the CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST to turn off this verification - a very bad idea. To protect yourself from any kind of man-in-the-middle or DNS hijack issues, you should leave these on.

0 comments voice your opinion now!
ssl certificate api call protect verification


blog comments powered by Disqus

Similar Posts

PHPRiot.com: Translating Text Using the Google Translate API and PHP, JSON and cURL

SitePoint.com: How to Add OAuth Authentication to Your Twitter App

Developer.com: Performing HTTP Geocoding with the Google Maps API

Chris Shiflett\'s Blog: The addslashes() Versus mysql_real_escape_string() Debate

php|architect: What Will Power the Future of the Internet: REST or SOAP?


Community Events





Don't see your event here?
Let us know!


list developer introduction interview release series refactor opinion unittest community podcast framework code install language laravel threedevsandamaybe symfony2 testing configure

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework