If I use PHP's fopen() function to retrieve data from a HTTPS website, is that what one would call a secure HTTPS connection. i.e. Does it provide protection against man-in-the-middle and eavesdropping attacks?
Asked
Active
Viewed 812 times
5
Cheekysoft
- 35,194
- 20
- 73
- 86
Kenneth Poulsen
- 929
- 10
- 25
1 Answers
5
Not by default, no.
It will always provide some form of protection against simple eavesdropping attacks as the data will always be encrypted (as long as the SSL server you are connecting to allows at least one encrypted cipher to be used - yes, null-encryption ciphers are allowed in HTTPS connections :roll-eyes:) However, by default, it will not protect against man-in-the-middle as it doesn't validate the server's certificates, therefore you cannot have any confidence that you have connected to the intended server.
Certificate validation can be switched on. To do so, you will need to provide a root certificate bundle and use the fourth argument to fopen that allows you to specify a stream context. The stream context allows you to modify the behaviour of the stream. The example below switches causes certificates to be validated against the root certificates in the specified bundle file.
$context = stream_context_create( array(
'ssl' => array(
'cafile' => 'ca_bundle.crt',
'verify_peer' => true
)
));
$file = fopen( $url, 'r', false, $context );
Cheekysoft
- 35,194
- 20
- 73
- 86
-
One additional thing you may want to do is to restrict the allowable set of ciphers to only allow strong forms of encryption. The strongest available cipher (allowed by both client and server) should be used by default; however, if you are really fussy, you may want to deny connections to servers that don't support a high-enough level of encryption. If anyone knows how to achieve this in PHP, please post. – Cheekysoft May 24 '12 at 09:36