未加星标

Our PHP Security Roadmap for the Year 2019

字体大小 | |
[网络安全 所属分类 网络安全 | 发布者 店小二05 | 时间 2019 | 作者 红领巾 ] 0人收藏点击收藏

Since our inception, we've typically published retrospective blog posts every year:

Year 2015 retrospective Year 2016 retrospective Year 2017 retrospective

A recurring theme of these posts has been, "We have an ambitious plan to make the Internet more secure."

At the end of 2015 looking towards 2016, we wanted to emphasize "secure-by-default" as the best attitude towards security.

Our goal for 2017 was to get libsodium into thephp core (which we did! The vote passed 37 to 0 ) and write a pure-PHP polyfill library we call sodium_compat .

Our goal in 2018 was to kickstart an ecosystem-wide clean-up effort to address the discoverability problem: It's much easier for new PHP developers to discover bad security advice than good security advice. We wanted to flip the script on this problem and make new developers learn tools and techniques that are, at a base, far more conducive to developing secure applications.

This was somehow even more ambitious than our 2017 goal, and unsurprisingly, we didn't have the same measure of success this time around. But the campaign is still young, and may take several years to play out in full, and we believe a recent announcement from another organization shines a light of hope on our efforts. More on that in a minute.

The Year 2019 Will Be a Game-Changer for PHP Security PHP 5 has reached End-of-Life

According to the list of supported PHP versions , PHP 5 has reached the end of its life. After PHP 5.6.40 is released , it will no longer receive security fixes from the PHP team.

There are a lot of advantages to PHP 7, and we've previously committed to generally only supporting PHP 7 for non-polyfill libraries .

In particular, PHP 7.2 brings you the Sodium cryptography library as a standard library, and removes the dangerous and abandoned mcrypt extension . PHP 7.2 is also currently the minimum version of PHP with active non-security support from the PHP team.

WordPress Commits to Requiring PHP 7 at the End of 2019

According to Jenny Wong at WordCamp US, WordPress is committed to dropping PHP 5 support by the end of 2019. She also says that the team could aim for a minimum of PHP 7.2 by the end of 2019.

In an effort to help plugin developers migrate any of their cryptography features to use the new Sodium extension in PHP 78.2, we've opened a new WordPress ticket to add sodium_compat to WordPress that we hope will land in time for the 5.1 release.

Paragon Initiative Enterprises to Bring Modern Cryptography to Everyone

In addition to our efforts to make WordPress 5.1 expose secure cryptography to the millions of WordPress users (regardless of their PHP version), sodium_compat has landed in a few other projects recently.

Joomla since 3.8.0 has supported libsodium through sodium_compat. Magento Open Source 2.3.0 released last month with PHP 7.2 support, and also uses sodium_compat to polyfill these feature for projects installed on versions of PHP older than 7.2.

With WordPress expected to adopt sodium_compat, this means thatmodern cryptography (Curve25519, XSalsa20-Poly1305, etc.) will soon be available to two thirds of the installed content management systems * on the Internet, according to W3Techs's statistics.

(This figure is equivalent to roughly 37% of the websites on the Internet, at the time of this writing.)

We expect this trend to continue, and for the application-layer encryption used by most PHP frameworks to drastically improve in 2019 either through supporting ext/sodium and requiring PHP 7.2 or higher... or through our polyfill library.

Towards the Standardization of an Extended-Nonce AEAD Cipher

Last year, we proposed a draft Internet Standard to the Crypto Forum Research Group (CFRG), the part of the Internet Engineering Task Force (IETF) dedicated to evaluating and recommending cryptographic functions for new protocols, to standardize XChaCha20 and an AEAD mode that combines XChaCha20 with the Poly1305 one-time authentication function.

XChaCha20 is an eXtended-nonce variant of ChaCha20, which uses another function called HChaCha20 to derive a subkey from the key and the first 128 bits of the 192-bit extended nonce, then uses ChaCha20 with the subkey and remainder of the nonce to encrypt messages.

You can read the XChaCha20 RFC draft online.

After an adoption call that received an overwhelmingly positive response, our RFC draft was accepted as a CFRG work item .

In the near future, XChaCha20 and AEAD_XCHACHA20_POLY1305 will become Internet Standards with a formal RFC number attached to them. Once this happens, libsodium's crypto_aead_encrypt() and crypto_aead_decrypt() will use XChaCha20-Poly1305. Assuming the IETF moves at a reasonable speed, this libsodium update should soon follow, and the updated sodium API should be safe to land in PHP 7.4.

Our work on making XChaCha20 an Internet Standard also opens the door to future RFCs for WireGuard and PASETO . The consequences of this work will extend far beyond the PHP ecosystem, and the Internet will be much more secure for it.

Projects We Intend to Launch in 2019

A lot of the security game changers we outlined above are either already in motion or do not directly involve our company. So you might be wondering, "What's PIE doing this year?"

Searchable Encryption for your ORMs: CipherSweet Integrations

In 2017, we wrote a blog post about searchable encryption , which also got syndicated by SitePoint .

What might not have gotten as much air time is that we actually implemented our design as a standalone library we call CipherSweet .

We spent a lot of time on fleshing out the threat model and exact security properties of CipherSweet's design. It should now be almost trivial to implement it securely in any PHP software that uses a relational database.

This year, we're going to be building integrations with Object-Relational Mappers, such as Doctrine and Eloquent, which should immediately make CipherSweet more accessible to Symfony and Laravel developers.

Why "CipherSweet"?

It was originally designed to be integrated into SuiteCRM, andScott often relies on puns for naming new projects .

Sodium-JVM: Sodium_Compat for the Java Ecosystem

To not too fine a point on it, we're planning on doing to Java what we already did to PHP .

Re-implementing libsodium in pure Java (hence, Sodium-JVM) is a massive undertaking, but it offers a lot of nice benefits over the existing Java bindings .

Sodium-JVM will be portable. You can use the same classes and code on Java servers that you use on desktop software or Android devices. Other languages with runtimes written in Java will also be able to seamlessly bind to the same common codebase.

The existing bindings just wrap the library written in C. Like with the PHP polyfill, we would want to use libsodium proper if it's available.

Enterprise Support Contracts

This isn't really something conceptually new; we've always offered enterprise support contracts for our open source software.

What is new, however, is that we launched a new portal for streamlining the process .

If you're stuck on PHP 5 because your systems are married to a Long-Term Support version of an Enterprise linux, and you were using any of our open source libraries to improve your company's website security, you'll probably rest easier at night knowing that your company has a support contract with ours that ensures any bugs that only affect the PHP 5-compatible versions of our software will be fixed.

Clients with existing support contracts will not need to take any action at this time. (You should have already received an email from us explaining this change.)

本文网络安全相关术语:网络安全工程师 网络信息安全 网络安全技术 网络安全知识

分页:12
转载请注明
本文标题:Our PHP Security Roadmap for the Year 2019
本站链接:https://www.codesec.net/view/628516.html


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 网络安全 | 评论(0) | 阅读(16)