Consuming APIs securely: Stop disabling SSL protection with cURL
Great advice from Brian Fenton for API developers consuming APIs using cURL and SSL -- and that API providers should consider thoughtfully the data sets that make sense to offer through SSL, highlighting the foursquare API as an example of doing it right.
Simple, common sense advice for developers and providers, but not followed as often as you'd think.
Several months ago when I was working on FoursquareNotifier, I was made aware of a fairly significant issue with using SSL through cURL. API calls to Foursquare require SSL, which is perfectly fine and a good idea for many API-driven applications. However, all the common examples for how to make API calls to Foursquare (including the PHP classesrecommended by Foursquare itself), included setting some innocent-looking, poorly-explained, and potentially dangerous settings. Namely,
curl_setopt(CURLOPT_SSL_VERIFYPEER, false). This tells cURL to stop caring who answers its request, as long as they use SSL, breaking one of the basic cryptography assumptions that SSL is supposed to provide.read the full post here
posted by delyn simons at
9:34 AM
2 Comments:
Wonderful blog & good post.Its really helpful for me, awaiting for more new post. Keep Blogging!
Web Development San Francisco
2:32 AM
when you cross the street, when new york bodyrubs you hop on from taxi to taxi, when there’s glazed frost on the pavement, and so on.
2:49 AM
Post a Comment
Subscribe to Post Comments [Atom]
<< Home