tasty morsels of goodness on open platforms, developer relations and motherhood 2.0

Thursday, October 06, 2011

Consuming APIs securely: Stop disabling SSL protection with cURL

Great advice from Brian Fenton for API developers consuming APIs using cURL and SSL -- and that API providers should consider thoughtfully the data sets that make sense to offer through SSL, highlighting the foursquare API as an example of doing it right.

Simple, common sense advice for developers and providers, but not followed as often as you'd think.

The Wuss of Steel: Stop disabling SSL protection with cURL:

Several months ago when I was working on FoursquareNotifier, I was made aware of a fairly significant issue with using SSL through cURL. API calls to Foursquare require SSL, which is perfectly fine and a good idea for many API-driven applications. However, all the common examples for how to make API calls to Foursquare (including the PHP classesrecommended by Foursquare itself), included setting some innocent-looking, poorly-explained, and potentially dangerous settings. Namely,curl_setopt(CURLOPT_SSL_VERIFYPEER, false). This tells cURL to stop caring who answers its request, as long as they use SSL, breaking one of the basic cryptography assumptions that SSL is supposed to provide.

read the full post here