[wp-hackers] Wordpress database encryption.
jackie.craig.sparks at live.com
Sun Nov 27 05:35:22 UTC 2011
Sorry, They didn't crack them. They exposed a flaw in md5 so they could replicate the certificate hash.
It wouldn't prevent them but it would at least slow them down and maybe make them move to a easier target.
Peoples data is important and deserves to be protected, IMO.
> From: wordpress at dd32.id.au
> Date: Sun, 27 Nov 2011 16:25:15 +1100
> To: wp-hackers at lists.automattic.com
> Subject: Re: [wp-hackers] Wordpress database encryption.
> On 27 November 2011 16:18, jackie sparks <jackie.craig.sparks at live.com> wrote:
> > This just isn't security by obscurity. This can protect the data in the database from sql injections from rouge plugins and miscoded plugins(This seems to be a huge problem, if you read the sec lists in the past week. There have been over 10 new exploits found for different plugins). Have to know the keys to decode the data. CCC(those german guys are pretty bad has already proven that SSL certs can be cracked and replicated on the fly with a cluster of ps3 systems, http://hackaday.com/2008/12/30/25c3-hackers-completely-break-ssl-using-200-ps3s/ .
> > Most crackers are opportunists. If they have the opportunity they will take it. If it's difficult they will leave it be.
> > Can I randomize the usersmeta id's thru the use of a plugin so firstname is not alway 1,16,24,32 ?
> > Every securty system has its fail points
> My point was -location wise- it's security by obscurity if you attempt
> to "hide" the code in core code rather than in a plugin, ie this
> > It would make it harder for someone to find the code instead of just browsing thru directory in the wp-content/plugins dir.
> But yes, Aside from initial install, you can randomise user ID's if
> you wish, just increment the wp_users AUTO_INCREMENT value a random
> ammount each time a user is added for example. or alter the ID before
> the data is sent to the update()/insert() calls.
> For the initial install, it's a bit harder as plugins aren't loaded,
> but there's a wp-content/install.php dropin that can be used to
> override certain installation functions.
> >> (...) I would *not* be focusing on making a core patch for this, it's
> >> something that's much better aimed at being a plugin (or a wp-content/db.php
> >> Dropin file if it can't be done otherways).(...)
> > You can load alternative files in core from a plugin? Or would this be
> > replacing files manually. Couldn't find any other documentation on this
> > other than pluggable functions (
> > http://codex.wordpress.org/Pluggable_Functions ), which is something else.
> No, You can't override specific core files, WordPress does have
> support for non-mysql databases by you adding a wp-content/db.php file
> however, Have a look at the HyperDB plugin/droping for example for a
> client class that can support multiple MySQL servers (ie. Master/slave
> setup). This is similar to the advanced-cache.php and object-cache.php
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers