Edit report at https://bugs.php.net/bug.php?id=68807&edit=1
ID: 68807 Updated by: [email protected] Reported by: vincentpazeller at gmail dot com Summary: Comment proposing unsecure development -Status: Open +Status: Not a bug -Type: Documentation Problem +Type: Feature/Change Request -Package: Documentation problem +Package: Website problem Operating System: All PHP Version: Irrelevant Block user comment: N Private report: N New Comment: Not a documentation problem either. However, I've removed the note and the website will update shortly. Previous Comments: ------------------------------------------------------------------------ [2015-01-12 17:57:29] [email protected] Not a PHP security issue. ------------------------------------------------------------------------ [2015-01-12 10:03:12] vincentpazeller at gmail dot com Description: ------------ --- >From manual page: http://www.php.net/function.openssl-decrypt --- Comment from user "nbari at dalmp dot com" is proposing to send critical data over an insecure channel (http) by using a javascript library. I wanted to answer, but seeing and respecting your rules ("this is not a forum", http://php.net/manual/add-note.php?sect=function.openssl-decrypt&redirect=http://php.net/manual/en/function.openssl-decrypt.php#whatnottoenter) I did not post. Howewer, I think this post is not accurate enough (what are the risks) and might lead to unsafe usage (we are not all cryptographers / security experts...) The code/description problems are the following to my eyes: 1) Suggests using a non-secure channel (http) can be secure. Or at least does not explicitly states that the proposed solution is NOT secure. Obfuscation is not considered secure by anyone. 2) suggests sending the obfuscated key over the unsecure layer. It is recomputed on the server side. Then if the code is known, the "cipher" can be easily decoded (code/decode is more accurate than encipher/decipher in this case, IMHO). 3) It should be state that it is easy to get the key by reading the javascript source code (trivial) if no other mechanism is in place... Conclusion: this post can lead to unsecure behaviors... I love the user documentation, but here I was very surprised... Test script: --------------- Nothing to test... ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=68807&edit=1 -- PHP Webmaster List Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
