Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Does PHP's fopen() protect against typical attacks when accessing https resources?

If I use PHP's fopen() function to retrieve data from a HTTPS website, is that what one would call a secure HTTPS connection. i.e. Does it provide protection against man-in-the-middle and eavesdropping attacks?

like image 353
Kenneth Poulsen Avatar asked May 24 '12 08:05

Kenneth Poulsen


Video Answer


1 Answers

Not by default, no.

It will always provide some form of protection against simple eavesdropping attacks as the data will always be encrypted (as long as the SSL server you are connecting to allows at least one encrypted cipher to be used - yes, null-encryption ciphers are allowed in HTTPS connections :roll-eyes:) However, by default, it will not protect against man-in-the-middle as it doesn't validate the server's certificates, therefore you cannot have any confidence that you have connected to the intended server.

Certificate validation can be switched on. To do so, you will need to provide a root certificate bundle and use the fourth argument to fopen that allows you to specify a stream context. The stream context allows you to modify the behaviour of the stream. The example below switches causes certificates to be validated against the root certificates in the specified bundle file.

$context = stream_context_create( array(
    'ssl' => array(
        'cafile'      => 'ca_bundle.crt',
        'verify_peer' => true
    )
));

$file = fopen( $url, 'r', false, $context );
like image 71
Cheekysoft Avatar answered Sep 19 '22 21:09

Cheekysoft