Is it safe to add `stream` key in mail.php in laravel?

Published 3 months ago by jonjie

Hi. I have research about it when sending an email to gmail. This solves the problem that when you send an email without this code, it is not sending the email or sometimes the email will go to the spam folder, but when you include it, the email is sending perfectly. Is this code safe? Do this code has advantage and disadvantage? Do this code affects the application?

config/mail.php

'stream' => [
        'ssl' => [
            'allow_self_signed' => true,
            'verify_peer' => false,
            'verify_peer_name' => false,
        ],
]
Best Answer (As Selected By jonjie)
lostdreamer_nl

What snapey is saying is that you're changing the way you allow for SSL (https) connections.

For a small analogy we go to the real world.

If you know you need to communicate with me, you can find me up in a phone book, contact me, and to make sure I am really me, I can show you my ID / passport. Which is handed to me by a government (we can sort of trust them right)

This is the same with internet connections:

Normally, when you connect to smtp.google.com, you ask for a DNS server for the location of smtp.google.com. You get the IP, and contact is. When you do this without SSL, you might get the wrong server (someone is faking to be google) but over SSL, you get a certificate from the server which identifies it as being smtp.google.com (sorta like it's passport).

These certificates would be given out by an certificate authority so you can know that you can trust the certificate (otherwise it's just a piece of paper saying I am who I say I am, why would you trust that)

What you are doing with changing these settings is:

  • 'allow_self_signed' => true, // I'll allow any piece of paper with the word 'ID' on it, it doesnt have to be government approved.
  • 'verify_peer' => false, // We wont even check what's on the piece of paper, we just want to get one
  • 'verify_peer_name' => false, // and we wont bother checking if the name of the piece of paper is actually the one we're trying to communicate with

All by all, you just removed the complete certification part that makes SSL (and thus HTTPS) safe.

Basicaly you go on to the street, and give your info to the first person that says he's who you are looking for.

Janaka

Since this is only a configuration key and does not contain any sensitive information, I dont see anything wrong :)

Snapey
Snapey
3 months ago (894,315 XP)

Well the obvious issue is that you are not checking that you have actually connected to gmail

This could allow the email to be intercepted by man in the middle attack.

jonjie

@Snapey Hi, Your comment is so deep, and it is very interesting for me. But, may I request a more specific explanation for this? Sorry, I didn't get what you're trying to say.

Thanks man.

jonjie

@Janaka Hi, Thank you for the response. But, I'm really thinking about what @Snapey said on his comment. Hmm very interesting

lostdreamer_nl

What snapey is saying is that you're changing the way you allow for SSL (https) connections.

For a small analogy we go to the real world.

If you know you need to communicate with me, you can find me up in a phone book, contact me, and to make sure I am really me, I can show you my ID / passport. Which is handed to me by a government (we can sort of trust them right)

This is the same with internet connections:

Normally, when you connect to smtp.google.com, you ask for a DNS server for the location of smtp.google.com. You get the IP, and contact is. When you do this without SSL, you might get the wrong server (someone is faking to be google) but over SSL, you get a certificate from the server which identifies it as being smtp.google.com (sorta like it's passport).

These certificates would be given out by an certificate authority so you can know that you can trust the certificate (otherwise it's just a piece of paper saying I am who I say I am, why would you trust that)

What you are doing with changing these settings is:

  • 'allow_self_signed' => true, // I'll allow any piece of paper with the word 'ID' on it, it doesnt have to be government approved.
  • 'verify_peer' => false, // We wont even check what's on the piece of paper, we just want to get one
  • 'verify_peer_name' => false, // and we wont bother checking if the name of the piece of paper is actually the one we're trying to communicate with

All by all, you just removed the complete certification part that makes SSL (and thus HTTPS) safe.

Basicaly you go on to the street, and give your info to the first person that says he's who you are looking for.

jonjie

Hi @lostdreamer_nl . Your explanation is very clear. Thanks a lot :)

Please sign in or create an account to participate in this conversation.