[wp-trac] [WordPress Trac] #39309: Secure WordPress Against Infrastructure Attacks

WordPress Trac noreply at wordpress.org
Tue Feb 6 19:11:56 UTC 2018 

#39309: Secure WordPress Against Infrastructure Attacks
------------------------------------------+-----------------------
 Reporter:  paragoninitiativeenterprises  |       Owner:
     Type:  enhancement                   |      Status:  reopened
 Priority:  normal                        |   Milestone:
Component:  Upgrade/Install               |     Version:  4.8
 Severity:  critical                      |  Resolution:
 Keywords:  has-patch                     |     Focuses:
------------------------------------------+-----------------------
Changes (by paragoninitiativeenterprises):

 * keywords:  has-patch reporter-feedback => has-patch


Comment:

 > > This cryptography library has not been formally audited by an
 independent third party that specializes in cryptography or cryptanalysis.
 >
 > Is this still the case?

 Yes, that is still the case.

 I have not suddenly had enough of a financial windfall to be able to pay
 NCC Group, Kudelski Security, Least Authority, or another trusted firm
 $2,000-$4,000 per day for a N-week engagement (where N >= 2) to audit
 sodium_compat.

 I started discussions with Mozilla about covering such an audit last year.
 It never went anywhere.

 Outside of Joomla, sodium_compat has been covered by the security experts
 that contribute to php[architect] magazine:

 https://www.phparch.com/wp-content/uploads/2017/12/php-72-sodium-
 december-2017.pdf
 https://www.phparch.com/wp-content/uploads/2018/02/2018-feb-educ-station-
 phparch.pdf

 > You mentioned in Slack that Joomla now uses this library. Has it
 therefore been audited?

 An audit is a formal (often paid) third-party application security
 assessment. As of 2018-02-06, this has not happened.

 Joomla's security team lead, Michael Babker, reviewed sodium_compat and
 was confident enough in its security to add it to Joomla.

 > What sort of peer review has the sodium_compat library had?

 Aside from Michael Babker, a lot of security/cryptography experts have
 looked at it on some capacity.

 However, none of them have given public statements of endorsement. I'll
 ask some of them to comment on whether or not they would recommend it.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/39309#comment:34>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list