Developers: please use sslverify = true

      1 Comment on Developers: please use sslverify = true

Often WordPress is being used to talk to external gateways or API’s. Especially now, with the uprising popularity of the REST API WordPress is getting more and more ready to talk to the outside world. A fairly common practice is to set sslverify = false when you’re using functions like wp_remote_get() or wp_remote_post (). Even though this was common practice not so long ago, I’d really like to suggest to stop doing that. Each time a developer does this a kitten get’s thrown in a blender. So please, use sslverify = true

Each time your website makes remote requests it has to connect to the external API that you’re communicating with. In most cases, but especially when you’re communicating payment details, you’ll want to make sure that the API you’re connecting to is indeed the one you intended to connect to. Verification of your connection ensures the security of the information that is being sent back and forth.

If you don’t verify the authenticity of the external API, you’re connecting to you open yourself to man-in-the-middle attacks. Any data you’re sending towards the API might be intercepted. In that same matter, all information sent to your website can be spoofed, malicious or just plain wrong.

A blast from the past: why are we doing this again?

Until a couple of years ago, using sslverify = false actually made some sense. In many cases the installation of PHP being used wasn’t using the latest copy of the CA Root Certificates. Because of this your website wouldn’t be able to properly verify a third party over SSL, resulting in errors. Ignoring these seemed like a good idea at the time. How else could you get your website talking to the outside world?

This actually is quite a bad practice, since it allows attackers to interfere with the information being sent. If your application can’t verify the authenticity of an API you need to address the issue that is causing this. You don’t just ignore all checks and pray everything goes well… A colleague of mine wrote a (technical) article about fixing these issues a short while ago. If you do want to fix this for your specific (non-WordPress) setup, make sure you read that as well.

Time to move to the present: WordPress has you covered.

With the 3.7 release of WordPress a nifty new feature was introduced: automatic updates. This allows users to let all the updating of WordPress, theme’s and plugins be handled by their websites. This feature came with its own challenges for the contributors team of WordPress. They wanted the update process to be handled over an SSL channel. And by doing so they ran into the same issues other developers had as well: if the authenticity of the WordPress API couldn’t be verified by the server the connection would fail. Leaving the end-user without updates. So during this transition to a self-updating WordPress they also began bundling a copy of the CA Root Certificates file itself, sourced from Mozilla.

So if you are developing for WordPress 3.7 or above there is no longer any need to use sslverify = false. The provided CA Root Certificate file is used by WordPress’ WP_HTT_API functions to verify the certificates instead of whatever old or outdated version is being used by your PHP installation. So from now on, please use sslverrify = true when talking to other hosts. The only place you switch this to false is on your local development environment. This way all of us can make the web a better place to live ;-)

One thought on “Developers: please use sslverify = true

  1. Pingback: Don't turn off CURLOPT_SSL_VERIFYPEER, fix your PHP configuration - PHP, Security, WordPress - Sysadmins of the North

Leave a Reply

Your email address will not be published. Required fields are marked *