PHP OpenID doesn't work with Google/Yahoo and 'hacks' fix it... are they safe? -

-

I am experimenting with OpenID, and have set up a sample web page to use my OpenID account. I'm using it and it was not working with my Google account. A small research pointed to me, which suggests the problem that Google uses https and ...

... possibly HTTPS Setup has been bored to make a request To verify that you have a CA-certificate package installed on your PHP server.

In the same thread, anyone links to people I have posted and successfully used with my Google account, other optimization for optimizing other questions ( , ...)

I'm not very hot on security, so I ask; Does anyone know that this is the reason not to use hacked versions?

What is the deficiency by this hack design in the original library, and therefore hack is a potential security vulnerability?

Is there a qualified crypto-episode, who saw any of these solutions and "with the beard of David Chowme!" No! "

If so - - and so I can not use any of these hacks - how will I check that I have" CA-certificates package installed "?

Here's the author of one of the "hacked" versions written:

Specifically CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST are true by default: I set them to false and it worked for test page!

HTT The most important reason is that HTTPS is useful in OpenID that it is a guard against a man-in-the-middle attack, i.e. some bad boy has your DNS cache google.com request to bad -guys.example . With properly configured HTTPS, you verify the certificate on the connection, find out that it is not from Google Was, and says, "I say nothing to the universe Unless, you do not verify any certificates (You <00> all SSL_VERIFY Set options to false ), in that case your server believes that everything bad boy says that it was a real Google provider. You can imagine how bad it can be.

Now, obviously, this is not the worst option created by you, because it's not worse than just using HTTP, which is being used by many people anyway We do. If you just say that you are not, you are providing HTTPS-level protection.

And there is a lot of information in it that it is not easy or no DNS-based attack, or how easy it is to attack someone on the connection between your server and Google, by any means Is required, which is harder to attack the connection between the usually coffee shop and the user's laptop in your server.

But still, actually it is better to fix your PHP or curl SSL configuration. Or, if you do not do this, warn your users that when they sign up with HTTPS identifiers, they can choose whether they actually want to use that OpenID with your site.

Which goes towards your second question, I think, you do not know anything about the server platform you are using, the best part is that I can link to you ; See section "Get a better / different / new CA certificate bundle!"


Comments

Post a Comment

Popular posts from this blog

windows - Heroku throws SQLITE3 Read only exception -

-
After I deploy the app to Heroku, I have to run migration scripts and get this error message ... ITES \ padrino \ prophetmargin & gt; Heroku Rack AR: Rack mutated! SQLite3 :: ReadOnlyException: only one try to write database to read: CREATE TABLE "schema_migrations" ( "version" varchar (255) NOT NULL) /disk1/home/slugs/215264_925fd2c_65a3/mnt/.bundle/gems/gems/ padrino-core- is 0.9.11 / lib / padrino-core / cli / rake.rb: 9: in `init ' how can this be? I also tried to run Heroku dbpush SQLite: //db/my-db.db and that did not work Horoku sqlite3 but using postgres does not do. I'm not sure why you are receiving this error, however, as I have used sqlite3 in development and when pushing it into its travel, they do some magic which migrates to postgrads. I'm absolutely sure how Heroku does 'backwash' this database but it seems that this is happening to you because it's the SQLite db file which is obviously due to Heroku's
Read more

lex - Building a lexical Analyzer in Java -

-
I am currently learning lexical analysis in compiler design. To know how a lexical analyzer actually works, I am trying to build myself. I am planning to make it in Java The input to the lexical analyzer is a .tex file that is of the following format. \ section {script} {intro} \ section {Scope} arbitrary text \ section {relevance} uncontrolled text \ subdivision (profit) arbitrary text \ subsubsection {in real life} \ subdivision {Ingredient} \ end {document} The output of the lecture may be a table of contents with a page number in another file. 1 Introduction 1 1.1 Scope 1 1.2 Relevance 2 1.2.1 Benefits 2 1.2.1.1 Real life 2 1.2.2 loss 3 I hope that This problem is within the scope of Language Analysis Read the .exe file and check '\' and continue to check whether it is actually on search In the sectioning command is set to indicate whether or not a flag variable is the type of sectioning. I hope the above approach will work for the construction of Lexa
Read more

python - rename keys in a dictionary -

-
I want to change the names of keys in a dictionary which are ints, and I need them so that the inputs with key zero They can sort correctly. For example, my keys are like this: '1', '101', '11' and I may need them: '001', '101', '011' What is doing, but I know that there is a better way tmpDict = {} in the ADC for the old: t MpDict ['% 04d'% int (olden)] = addict [oldkey] New controlled = tmpDict You are going wrong about this if you want to draw entries on a line in a specific way, then you have to sort on the extraction. for sorted (D, key = int): print '% s:% R'% (k, d [k]) < / Div>
Read more