[wp-trac] [WordPress Trac] #28633: Generate better random numbers

WordPress Trac noreply at wordpress.org
Fri Feb 13 01:24:14 UTC 2015 

#28633: Generate better random numbers
-------------------------------------+------------------------------
 Reporter:  sarciszewski             |       Owner:
     Type:  enhancement              |      Status:  new
 Priority:  normal                   |   Milestone:  Awaiting Review
Component:  Security                 |     Version:  trunk
 Severity:  major                    |  Resolution:
 Keywords:  needs-testing has-patch  |     Focuses:
-------------------------------------+------------------------------

Comment (by nacin):

 This coming in as a public bug report immediately triggered alarm bells.
 When this happens, and it does sometimes, the security team mobilizes to
 see whether the report is indeed a vulnerability. It was pretty quickly
 determined that while there may be ''something'' that could be improved
 here, there was no smoking gun here. At some point, @sarciszewski started
 emailing me directly, rather than the security team or by posting here. I
 never saw these due to aggressive email filters. I get a lot of email and
 don't have time to read lower priority stuff in a timely manner; there's a
 reason why it's a security team and not a nacin team.

 @sarciszewski then posted this to FD:
 http://seclists.org/fulldisclosure/2015/Feb/42. I'm paraphrasing an old
 movie here: it's not what was done, it's how it was done. I deal with a
 lot of tiring stuff every day, and the tone wasn't all that necessary to
 get the results he wanted. If he really does think WordPress has a
 critical issue, then the facts would ideally speak for themselves. I sent
 a tweet in reply to @sarciszewski that vaguely tried to convey my feelings
 about the tone (not content). That then resulted in a lot of random people
 replying at me in shall we say less than complimentary ways, because they
 found the tweet through Reddit, so I deleted it. It's archived on Reddit
 if you wish to read it.

 Like many complicated security-related issues in WordPress, the original
 code here was written far before I got involved on the project. Someone
 else mentioned on Reddit some previous circumstances where I ended up
 somehow being the public face for WordPress.com delivering their cookies
 in the clear (1), and also WordPress not having user cookies backed by a
 server-side session (2). For the first part, yeah, it was a bug, and they
 addressed all aspects of it in under a week. (Also note, I don't work at
 Automattic or at WordPress.com, and never have.) That second part is a
 known issue going back to the b2/cafelog project WordPress was forked from
 12 years ago. It wasn't something that could be changed overnight.
 Everyone of course knew it was an issue. Once it became clear we did have
 a viable and performant solution for it, we shipped it.

 There was a reason WordPress cookies only last for 14 days even when
 "Remember me" is checked, and why of course we enforce cookie expiration
 times as part of our auth cookie hash. Now that we have sessions, it's
 perhaps time to extend that beyond 14 days, but with most sites not having
 SSL, that's still not exactly ideal either. Security and usability always
 have a tradeoff. And, hey, look, I sure as hell didn't write it that way
 more than a decade ago.

 In the course of my research on this CSPRNG bug report, I found that the
 original code here was written in 2008 in response to a report by Stefan
 Esser, a well-known security researcher who is intimately familiar with
 PHP, and has reported a few issues to us over the years. I couldn't locate
 any conversations on our end, but I did some research and was comfortable
 with the solution we had as a result of that work, as hacky as it was.
 Some of Stefan's comments on Twitter have supported that sentiment, though
 I've asked more specifically whether he also thinks that's true.

 For the record: I think it would be nice to make an adjustment here. This
 is precisely the kind of security debate that a maintainer loves to see
 happen out in the open, in a healthy and positive manner, because it only
 means the software will get better.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/28633#comment:25>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list