php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #68807 Comment proposing unsecure development
Submitted: 2015-01-12 10:03 UTC Modified: 2015-01-12 20:11 UTC
From: vincentpazeller at gmail dot com Assigned:
Status: Not a bug Package: Website problem
PHP Version: Irrelevant OS: All
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: vincentpazeller at gmail dot com
New email:
PHP Version: OS:

 

 [2015-01-12 10:03 UTC] vincentpazeller at gmail dot com 
Description:
------------
---
From manual page: http://www.php.net/function.openssl-decrypt
---

Comment from user "nbari at dalmp dot com" is proposing to send critical data over an insecure channel (http) by using a javascript library.

I wanted to answer, but seeing and respecting your rules ("this is not a forum", http://php.net/manual/add-note.php?sect=function.openssl-decrypt&redirect=http://php.net/manual/en/function.openssl-decrypt.php#whatnottoenter) I did not post.

Howewer, I think this post is not accurate enough (what are the risks) and might lead to unsafe usage (we are not all cryptographers / security experts...)

The code/description problems are the following to my eyes:
1) Suggests using a non-secure channel (http) can be secure. Or at least does not explicitly states that the proposed solution is NOT secure. Obfuscation is not considered secure by anyone.

2) suggests sending the obfuscated key over the unsecure layer. It is recomputed on the server side. Then if the code is known, the "cipher" can be easily decoded (code/decode is more accurate than encipher/decipher in this case, IMHO).

3) It should be state that it is easy to get the key by reading the javascript source code (trivial) if no other mechanism is in place...

Conclusion: this post can lead to unsecure behaviors...

I love the user documentation, but here I was very surprised...


Test script:
---------------
Nothing to test...

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-01-12 17:57 UTC] stas@php.net
-Type: Security +Type: Documentation Problem
 [2015-01-12 17:57 UTC] stas@php.net 
Not a PHP security issue.
 [2015-01-12 20:11 UTC] salathe@php.net
-Status: Open +Status: Not a bug -Type: Documentation Problem +Type: Feature/Change Request -Package: Documentation problem +Package: Website problem
 [2015-01-12 20:11 UTC] salathe@php.net 
Not a documentation problem either.

However, I've removed the note and the website will update shortly.
 [2015-01-18 20:10 UTC] cmbecker69 at gmx dot de 
Related To: Bug #68850
 [2015-01-18 20:10 UTC] cmbecker69 at gmx dot de 
Related To: Bug #68850
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Mon May 06 16:01:33 2024 UTC