Skip to content

Stop using insecure option by default #81

New issue
New issue
Closed
Closed
Stop using insecure option by default#81
Labels
difficulty: easyfix is easy in difficultystatus: work in progressTwilio or the community is in the process of implementingtype: securityknown security issue
@SamMousa

Description

@SamMousa
SamMousa
opened on Nov 18, 2017

Issue Summary

...
CURLOPT_SSL_VERIFYPEER => false
...

Steps to Reproduce

  1. Install the library.
  2. Use it.
  3. Get a MITM attacker
  4. Don't notice it because we're not validating SSL certificates

Technical details:

  • php-http-client Version: master
  • PHP Version: 7.1

Why would you disable SSL peer verification by default in a library??
At the very least people incapable of configuring their servers decently should disable security options manually. Current it's the other way around and only people randomly inspecting source code notice that you're disabling SSL security features by default...

Metadata

Metadata

Assignees

No one assigned

    Labels

    difficulty: easyfix is easy in difficultystatus: work in progressTwilio or the community is in the process of implementingtype: securityknown security issue

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions