Will my `post` data passed via SSL with CURL be safe enough?

Question

I am developing API and want it to be fully secure. Please consider this function code

public function send_ok($tdata, $mdata)
{
    $url = str_replace('http://', '', $mdata['api_transaction_return_url']);
    $url = str_replace('http://', '', $url);
    $url = 'https://'.$url;
    $process = curl_init($url);
    curl_setopt($process, CURLOPT_SSL_VERIFYPEER, FALSE);
    curl_setopt($process, CURLOPT_SSL_VERIFYHOST, FALSE);

    curl_setopt($process, CURLOPT_POST, 1);
    curl_setopt($process, CURLOPT_POSTFIELDS, $tdata);

    curl_setopt($process, CURLOPT_RETURNTRANSFER, 1);

    $return = curl_exec($process);
}

This function sending response to the remote server with payment confirm. So, I pass data via SSL but is it safe enough and what other methods I can use to make my data fully secure?

Answer 1

SSL provides encryption of the data in transit, so it's safe from prying eyes _{(let's skip a whole bunch of caveats about broken cipher suites and so on)}. This makes SSL connections secure as such.

However, can you really be sure who you're actually sending data to? Maybe an attacker has compromised your network insofar that you're actually connecting to him instead of the payment server you think you're connecting to, and you're sending all the payment information right to the attacker.
Well, SSL has a solution to that problem as well: identification through certificates, validated by an authority through the public key infrastructure. If a certificate checks out as valid for a certain domain, you can be reasonably sure you're talking to the right server _{(let's skip a whole bunch of caveats about how this may break in practice if not done absolutely right here)}.

Unfortunately, you're completely foregoing all those features:

curl_setopt($process, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($process, CURLOPT_SSL_VERIFYHOST, FALSE);

If you want to be sure you're talking to the right server, those two options need to be on.

If you fix that, it's reasonably secure. As reasonable as any regular security practice dictates. Will it stand up to a really determined attacker with the right resources? Maybe, maybe not. There are various ways in which an SSL connection can theoretically or practically be attacked, and some of these attacks can be mitigated by you and others may need support from the party you're connecting to.
However, it's much more likely that some other part of your server, of your PHP code, has some gaping security hole which an attacker will exploit before bothering to actually break a technology which has proven reasonably secure over time.