PHP OpenID无法与Google/Yahoo配合使用,并且"hacks"可以修复它……它们安全吗? [英] PHP OpenID doesn't work with Google/Yahoo and 'hacks' fix it... are they safe?
问题描述
我一直在尝试OpenID,并设置了一个示例网页以使用我的OpenID帐户进行访问.我使用的是 Janrain的Php OpenID库,它无法与我的Google一起使用帐户.一些研究使我此问题,这表明问题是Google使用https和...
...很有可能在您的PHP服务器上使用了发出HTTPS请求的设置.检查并确保已安装ca-certificates软件包.
在同一线程中,有人链接到他们的我已部署并已成功用于我的Google帐户的库的hacked版本.其他问题也有其他自定义项来解决类似问题( Janrain的PHP-OpenID和Google/Yahoo , php-openID不适用于Yahoo! ,在PHP OpenID中使用AX的示例 ...)
我对安全性不太热,所以我问;有人知道不使用这些被黑版本的原因吗?
原始库是否有设计上可修复这些黑客的缺点,因此该黑客是潜在的安全漏洞?
那里有合格的加密专家,他们研究了这些解决方案中的任何一个,并且走了戴维·肖姆(David Chaum)的胡须!不!"
如果是的话-我因此不应该使用任何这些技巧-我将如何检查我是否已安装了ca-certificates软件包"?
以下是其中一个被黑客入侵"版本的作者所写的内容:
尤其是CURLOPT_SSL_VERIFYPEER 和CURLOPT_SSL_VERIFYHOST为true 默认值:我将它们设置为false 为测试页工作!
其效果是几乎抵消了使用HTTPS所提供的任何安全优势. HTTPS在OpenID中有用的主要原因是,它可以防止中间人攻击,即,某些坏人使您的DNS缓存中毒,从而将所有google.com请求发送到bad-guys.example.使用正确配置的HTTPS,您将验证连接上的证书,发现它不是来自Google的,并说我不会相信您说的话,bad-guys!"
当然,除非您不验证任何证书(将所有SSL_VERIFY选项设置为false),在这种情况下,您的服务器将相信bad-guys所说的一切,就好像它是真实的Google提供者一样.您可以想象这可能是不好的.
坦率地说,现在,这不是您可以选择的最糟糕的选择,因为这并不比仅使用HTTP更糟糕,无论如何,HTTP还是很多人都会这样做的.您只是在SSL证书上卷曲文档;请参阅获得更好/不同/更新的CA证书包!"部分.
I've been experimenting with OpenID, and have set up a sample web page to access using my OpenID account. I'm using the Php OpenID Library by Janrain and it wasn't working with my Google Account. A little research led me to this question, which suggests the problem is that Google uses https and...
... it's likely the setup for making HTTPS requests is borked on your PHP server. Check to make sure you have the ca-certificates package installed.
In the same thread, someone links to their hacked version of the library which I deployed and have used with my Google Account successfully. Other questions have other customizations to get around similar problems (Janrain’s PHP-OpenID and Google/Yahoo, php-openID doesn’t work with Yahoo!, Example usage of AX in PHP OpenID...)
I'm not too hot on security, so I ask; does anyone know of a reason to not use these hacked versions?
Does the original library have whatever shortcoming these hacks fix by design, and therefore the hack is a potential security vulnerability?
Is there a qualified crypto-ifier out there who has looked at any of these solutions and gone "By David Chaum's beard! NO!!"
If so - and I therefore shouldn't use any of these hacks - how would I check that I "have the ca-certificates package installed"?
Here's what the author of one of those "hacked" versions wrote:
In particular CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST are true by default: I set them to false and it worked for the test page!
The effect that has is to pretty much negate any security advantage offered by using HTTPS. The primary reason HTTPS is useful in OpenID is that it guards against a man-in-the-middle attack, i.e. some bad guy poisons your DNS cache to send all google.com requests to bad-guys.example. With properly configured HTTPS, you'd verify the certificate on the connection, find out it wasn't from Google, and say "I'm not going to believe anything you say, bad-guys!"
Unless, of course, you don't verify any certificates (you set all the SSL_VERIFY options to false), in which case your server will believe everything bad-guys says as if it were the real Google provider. You can imagine how that might be bad.
Now, frankly, this isn't the worst choice you could make, because it's no worse than just using HTTP, which a lot of people do anyway. You're just lying to your users if you imply that you're providing HTTPS-level security when you're not.
And there's a lot of information out there about how easy it is or isn't to do a dns-based attack, or how easy it is to forge SSL certificates. Either way, it does require someone to attack the connection between your server and Google, which is generally harder than attacking the connection between the user's laptop in the coffee shop and your server.
But still, much better to actually fix your PHP or CURL SSL configuration. Or if you don't, warn your users of that when they sign up with HTTPS identifiers, so they can choose if they really want to use that OpenID with your site.
Which leads to your second question. I think, not knowing anything about which server platform you're using, the best thing I can do is to link you to the Curl docs on SSL certificates; see the section that says "Get a better/different/newer CA cert bundle!"
这篇关于PHP OpenID无法与Google/Yahoo配合使用,并且"hacks"可以修复它……它们安全吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
