Profile picture
Scott Arciszewski @CiPHPerCoder
, 11 tweets, 3 min read Read on Twitter
Fun activity:

Go through the plugins/extensions/whathaveyou for your favorite CMS/framework (especially eCommerce) and see which ones disable certificate validation for HTTPS requests.

paragonie.com/blog/2017/10/c…
Plugins for payment gateways that disable either are worth 5 points, unless they disable both, in which case they're worth 20 points.
If you expected to not find anything, well, I hope you didn't bet the farm on that:

Security researcher extraordinaire @indrora probably wins by sheer volume:
Choice findings from @indrora:

1. github.com/WPPlugins/gate…
2. github.com/WPPlugins/woos…
3. github.com/WPPlugins/amaz…
So basically what I'm saying is:

- None of y'all use Certainty
- None of y'all are validating TLS certificates in your PHP apps
- Not even eCommerce plugins are doing this
- Certainty makes cacert.pem reliable; validate your fucking certs!
Special shout out to the devs of AzuraCast for not repeating the same mistakes that are so endemic to the PHP ecosystem regarding cURL / HTTPS usage.

@threadreaderapp unroll
Finally,
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Scott Arciszewski
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @CiPHPerCoder see all

Profile picture
Want to make PHP's exceptions more helpful to your users, even if they're speaking to it over a JSON API or command line script? github.com/paragonie/corn…
Note: v1.x of this library targets EOL versions of PHP. You'll ideally want to use version 2 at a minimum.

But anyway, consider this a holiday gift to the PHP community. (I might have proposed it to FIG, if I were a member, and wasn't wary of endless bikeshedding.)
So what does Corner do? It transforms thorny corner-case errors into something that developers will find more useful.

It was inspired by this tweet:
Read 6 tweets
Profile picture
Let's talk about some of the open source libraries that @ParagonIE has created over the years to make it easier to make secure PHP applications.

paragonie.com/software
First, the polyfill libraries:

random_compat exists so that your framework can use the newer PHP 7 CSPRNG API even if they support PHP 5. It's used by a lot of projects, including WordPress.

github.com/paragonie/rand…
In a similar spirit, sodium_compat reimplements (most of) libsodium in pure PHP, and even supports 32-bit operating systems. Its purpose is to help projects transition toward PHP 7.2+ support.

github.com/paragonie/sodi…
Read 16 tweets
Profile picture
I've drafted several blog posts in the past week and scrapped them all. None of them feel important enough to write about, let alone publish.
This isn't coming from a position of writer's block. This is coming from a position of empathy. Time is precious, and I hate to waste anyone's.
Application security: I don't know whether it's better classified as "poorly understood" or "underappreciated".
Read 30 tweets

Related threads

Profile picture
Let me annoy you with this again
1. Breath of the Wild was an okay open world game, the Zelda elements were weak as hell and had the worst bosses in the series.
2. Mouse and keyboard gives you more control, but you can still be competent with controllers in shooters
Read 33 tweets
Profile picture
Message I got from Zooko re: their efforts to recover the missing Zcash trusted setup ceremony transcript.

Given there is a chance at a market moving hundreds of millions of dollars screw up, I don't want to be in possession of any insider info. So I'm making this transparent.
I'm disappointed that they have chosen to delay investigating this for months in an effort to release Sapling first rather than just being upfront about it.

github.com/zcash/mpc/issu…
Something a friend just sent me seconds ago: "Thanks for telling me early so I could move all my coins"

They're joking of course, but quite seriously this kind of insider trading thing is exactly why I don't want to be in possession of any insider info on this.r
Read 8 tweets
Profile picture
On Nov 5 2018, Kerry Diotte - Member of Parliament for
Edmonton Griesbach - sent me legal notice regarding tweets I made about him and his support for Faith Goldy - a white nationalist.

They gave me the deadline of Nov 7, 2018 to remove the tweets

This is what followed #cdnpoli
For context, here are the tweets in question.



I chose to take this letter seriously since they came from Arthur Hamilton, the top lawyer for the Conservative Party of Canada. This is a profile on
Hamilton.

theglobeandmail.com/news/politics/…
Read 9 tweets
Profile picture
THREAD: What should we make of the filing by Trump’s lawyers demanding that Trump be permitted to review the documents seized by the government and remove any he believes are privileged?
1/ The letter linked above was sent by Trump’s lawyers to the judge overseeing Cohen’s challenge to the prosecution’s seizure of documents from Cohen’s office, home, and hotel room pursuant to search warrants signed by a federal judge.
2/ As a starting point, Cohen’s challenge to the search warrants is extraordinary, and Trump’s intervention into Cohen’s legal action is even more unusual. It’s not clear that Trump has the right to challenge the government’s review of documents seized from Cohen at this stage.
Read 17 tweets
Profile picture
Thread for tracking bad accounting in the DJT campaign expenditures for 2015-2016. I will add to this thread as I find them.

Notes: Schiller batched his expense reports. It’s possible to track his McDonalds’ purchases for campaign events by city, but not by DATE.
In May-June 2015, everybody in Iowa & NH seemed to require all campaigns to pre-pay for events. Makes sense: they know campaigns become deadbeats in 12 hours. Short notice rentals. Got soaked for NH campaign office.
Campaign held a rally at Phoenix Convention Center (owned by City of Phoenix) on 11 JUL 2015. Campaign double-paid for event: $7803 on 27JUL to City of Phoenix; $7803 on 31JUL to Phoenix Convention Center. Weird. A double pay like this may indicate a skim/diversion.
Read 74 tweets
Profile picture
#b 'Teknik menjawab' is not a series of rituals that you carry out to secure an A in the exam. You don't get guaranteed an A just through superficial actions like highlighting keywords or drawing meniscus or inserting isi tersirat.
The problem is students and teachers treat teknik menjawab as some sort of pseudo magical ritualistic gestures that will bring a certain outcome. Draw a pentagram, slaughter a chicken, and your wish will be granted.
Some remote Pacific Islanders in 1940s came in contact with Allied and Japanese soldiers who were more technologically advanced and thought the soldiers were gods who had many "cargo" (canned food, electronics, modern stuff)
Read 11 tweets

Trending hashtags

#RussiaRussiaRussia #smarticities #GoodbyeDemocrats #LostHighway #FLYJOHNNYFLY #MerryXmas #ItsTime #ai #Ethereum #worldbuilding #UninventInternet #bigdat #BeepBeep #bigdaga #MSDProud #smarticites #PaulMcCartney #FUN #DropAllCharges #opendats #ecommerce #OpKavanaugh #Samhain #cdnpoli #smartciities

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!