ZF-4838: HTTPS in Zend_Http_Client is to be considered insecure


Zend_Http_Client (to more specific: it's only available adapter Zend_Http_Client_Adapter_Socket) does neither verify server certificates nor does it verify hostnames. Zend_Http_Client_Adapter_Curl behaves correct, but is not in trunk.

Best regards, Thomas Gelf


Fixed with ZF-3616, inclusion of cURL Adapter into trunk, released in 1.8

This is great news! I've been using your adapter for a while, the fact that it will be provided with ZF will however make things easier ;-)

Anyways, this doesn't solve the issue for me: Zend_Http_Client is still to be considered insecure with HTTPS and still prone to MITM attacks. This is also true for all Service-Components based on Zend_Http_Clients. The fact that there finally IS a secure connection adapter does neither fix the default one (Socket), nor does it tell coders to NOT use the default one for HTTPS unless fixed nor does it fix other components based on Zend_Http_Client.

Depends on being able to set context parameters on the stream. Work in progress on that.

Now that the setStreamContext() and getStreamContext() methods have been added (in trunk, CS-17009), you should be able to force peer validation easily.

We can't set this behavior to be the default one, because of BC issues. I also suspect most people will not want this because it makes development and testing harder.

Thanks for reporting!

That's great news, thank you!

Let me add some thoughts regarding default settings. First, this is what I posted last autumn to ZF's mailinglist:

Unfortunately switching validation on per default is not an option as it would break currently working applications. I would suggest to change this with ZF 2.0 - as other libs / languages I know (CURL, Java, C# etc) are doing so out of the box. And in my believes this is the only correct way of using HTTPS. If someone wants to do insecure things he is free to do so, but he has to explicitly switch checks off.

(see… for full post)

I don't know which Zend_Service_Whatever-Classes are based on HTTPS (a quick grep showed Amazon_Ec2, Delicious, ReCaptcha), probably all of them are using Zend_Http_Client - with insecure defaults. And I'm pretty sure others will follow.

Therefore I strongly suggest changing default settings with ZF 2.0. Many developers just don't realize that self-signed certificates lead HTTPS ad absurdum - and also not verifying signed ones does. If someone insists on using useless certificates he can do so. But he needs to be made aware of doing something REALLY bad (and shall be forced into explicitely allowing this in his own code).

What is the best way to add a note assuring this doesn't will be forgotten? Open a seperate ticket against "Next Major Release"?

Best regards, Thomas Gelf

Postponing issue until 2.0 when we can change the defaults in the socket adapter to be more like that of the curl adapter: validating all certificates by default.