View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0001485XdebugStep Debuggingpublic2017-10-29 20:432017-12-17 14:32
Reporterhajekj Assigned Toderick  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionwon't fix 
Product Version2.5.5 
Summary0001485: Add option to encrypt remote debugging connection
Description

To my knowledge (and as far as I could dig through the docs) the connection from within the server to the debugging client is not protected and therefor it can be intercepted and misused by third party. One of the methods to eliminate this currently is either use of VPN (as long as the network is private) or use of SSH tunnel. I believe it would be great if xdebug added an option to support transport encryption of the debugging data, possibly symmetric for start.
In the configuration, there would be xdebug.remote_secret = "abcde" and locally it would be passed as parameter when starting to listen for the debug session. If remote_secret is set to something, the secret will then be used to encrypt all the traffic using symmetric algorithm like AES.
In future, the encryption could be based on pre-configured user accounts or generally some transport security could be added in form of TLS.

Tagssecurity
Operating System
PHP Version7.1.0-7.1.4

Activities

derick

2017-12-17 14:32

administrator   ~0004516

I am going to mark this as "won't fix".

Adding a home grown security layer makes little sense, as every IDE would have to implement this as well. There are probably close to a 100 IDEs. Similarly, they would also need to implement TLS if I would go that way.

On the Xdebug side, this would also mean dependencies on for example openssl. This is by no means available everywhere, and implementing this for various different platforms (most notable, Linux, macOS and Windows), is not a small task. Let alone maintaining and debugging this.

But the main point is is that Xdebug is a debugger, meant to be used in situations where you need to debug code. That by definition should exclude production environments. For the few occasions where you need to debug something over the open internet, the requirement of having to use a VPN or SSH tunnel seems reasonable.

Issue History

Date Modified Username Field Change
2017-10-29 20:43 hajekj New Issue
2017-10-29 20:44 hajekj Tag Attached: security
2017-12-17 14:32 derick Note Added: 0004516
2017-12-17 14:32 derick Status new => closed
2017-12-17 14:32 derick Assigned To => derick
2017-12-17 14:32 derick Resolution open => won't fix
2020-03-12 16:33 derick Category Remote Debugging => Step Debugging