News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Pádraic Brady:
Thoughts on Composer's Future Security
March 06, 2014 @ 11:09:06

Pádraic Brady has a new "let's watch Paddy think aloud in a completely unstructured manner blog post" about the future of security when it comes to the popular PHP package manager Composer. It's recently come under criticism around its lack of package signing and TLS/SSL support.

The Composer issue, as initially reported by Kevin McArthur, was fairly simple. Since no download connection by Composer was properly secured using SSL/TLS then an attacker could, with the assistance of a Man-In-The-Middle (MITM) attack, substitute the package you wanted to download with a modified version that communicated with the attacker's server. They could, for example, plant a line of code which sends the contents of $_POST to the attacker's server.

He's been working on some updates to the project, one of with is TLS/SSL support as defined in this pull request currently pending. It enables peer verification by default, follows PHP 5.6 TLS recommendations and uses local system certificates in the connection. He talks some about other additional TLS/SSL measures that could be added in the future and how, despite it being safer than nothing, TLS/SSL is not the "cure all" for the problem.

He then moves on to package signing and suggests one method for implementation - signing the "composer.phar" executable and signing "everything else" (packages to be downloaded) to verify their validity.

The flaw in Composer's installer isn't that it's unsigned, it's that it doesn't afford the opportunity for the downloader to read it before it gets piped to PHP. It's a documentation issue. You can go down the route of using a CA, of course, but that's further down the rabbit hole than may be necessary. Signing the composer.phar file is another matter.
0 comments voice your opinion now!
composer package signing tls ssl support security

Link: http://blog.astrumfutura.com/2014/03/thoughts-on-composers-future-security

Pádraic Brady:
PHP 5.6 and SSL/TLS Getting Better But Will PHP Programmers Actually Use It?
January 31, 2014 @ 11:24:32

In his latest post Pádraic Brady looks at a new addition to PHP (well, to be included in the next release) related to the SSL/TLS handling it provides in streams. He's happy to report that things are improving. This commit integrated an RFC allowing for TLS perr verification in PHP streams.

The RFC reverses PHP's course and provides PHP streams with defaults that enable both peer verification and host verification. The patch implements the RFC and it lets PHP leverage the local system's own certificate stash (e.g. Debian's ca-certificates) where possible to avoid PHP having to distribute a bundle of its own and while also assisting in backwards compatibility. [...] Once we have a PHP streams/sockets system with a passable level of default security, the rest will be left to programmers on the ground to change their practices.

With this new functionality coming in PHP 5.6, he strongly encourages developers to change how they're currently doing things and embrace this new verification to keep their code safer.

0 comments voice your opinion now!
ssl tls php56 programmer peer verification rfc

Link: http://blog.astrumfutura.com/2014/01/php-5-6-and-ssltls-getting-better-but-will-php-programmers-actually-use-it/

Joshua Thijssen:
Decoding TLS with PHP
December 31, 2013 @ 10:17:19

Joshua Thijssen has posted a walk-through of some work he's done to create a TLS decoder in PHP. TLS (Transport Layer Security) is a method for encrypting data being sent back and forth between the client and server, similar to how SSL is used.

As a proof of concept I wanted to see in how far I could decode some TLS data on the client side. Obviously, this is very complex matter, and even though TLS looks deceptively simple, it isn't. To make matters worse, PHP isn't quite helping us making things easy neither.

His solution (code posted here) goes through a few steps to finally get to the actual data:

  • Capturing TLS data
  • Gathering all the necessary fields
  • From pre-master-secret to master-secret (decoding TLS_RSA_WITH_RC4_128_SHA)
  • Partitioning our master-secret
  • Decoding our data
  • Verifying message integrity

For each step along the way he shares the relevant code and a brief description of what's happening. If you want to see the end result and try it out for yourself, check out his repository.

0 comments voice your opinion now!
decode tls transport layer security protocol data tutorial

Link: http://www.adayinthelifeof.nl/2013/12/30/decoding-tls-with-php

Symfony Blog:
Symfony 2.3.0, the first LTS, is now available
June 05, 2013 @ 11:25:14

As is mentioned in this new post to the Symfony blog, the latest milestone release of the popular framework has been made - Symfony 2.3.0.

We were all waiting for it and many of us have been working hard for the last four years to make it happen. Today, Symfony 2.3.0 is available and this is the first long-term support release for Symfony version 2. I'm so happy that we were able to achieve this important milestone in the life of the framework. THANK YOU for making it possible. [...] That gives us the best of two different worlds: small teams and agile companies can benefit from the latest features by upgrading every six months (they have two months to upgrade); large teams and traditional companies can standardize on a release. [...] And 2.3.0 is our first long term support release. We, the community, are going to maintain it for the next three years (until May 2016).

The post includes some statistics about this latest release as well as some of the new features that come along with it. For those that want to upgrade right away, there's also some instructions on what to change in your "composer.json" file to try it all out.

0 comments voice your opinion now!
symfony2 tls service release features availability

Link: http://symfony.com/blog/symfony-2-3-0-the-first-lts-is-now-available

PHPBuilder.com:
Write an Ajax-driven Login Application in PHP Using SSL/TLS
September 09, 2010 @ 10:29:03

On the PHPBuilder.com site today there's a new tutorial posted from Octavia Anghel about creating a login for your site that's powered by Ajax and uses a bit more security than normal. It includes hooks to use the Ajax Server Secure Layer or an OpenSSL connection.

In this article you will learn how to write a login application in PHP using Ajax and SSL/TLS in two ways either using aSSL (Ajax Server Secure Layer), a library that implements a technology similar to SSL without HTTPS or a simple Ajax and OpenSSL, an open source implementation of the SSL and TLS protocols.

They start with the aSSL method and link you to a download of the tool as well as some sample code to help you get started passing data to it via the session. The second example shows the OpenSSL method, mostly consisting of checking on the server side of the certificate that's passed along with the request.

0 comments voice your opinion now!
ssl tls secure certificate assl openssl ajax



Community Events





Don't see your event here?
Let us know!


community list series opinion install developer language refactor framework configure code podcast laravel testing unittest threedevsandamaybe wordpress interview introduction release

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework