[wp-trac] [WordPress Trac] #39309: Secure WordPress Against Infrastructure Attacks

WordPress Trac noreply at wordpress.org
Mon Jul 15 11:46:42 UTC 2019 

#39309: Secure WordPress Against Infrastructure Attacks
------------------------------------------+---------------------
 Reporter:  paragoninitiativeenterprises  |       Owner:  pento
     Type:  task (blessed)                |      Status:  closed
 Priority:  normal                        |   Milestone:  5.2
Component:  Upgrade/Install               |     Version:  4.8
 Severity:  critical                      |  Resolution:  fixed
 Keywords:  has-patch                     |     Focuses:
------------------------------------------+---------------------

Comment (by withinboredom):

 @paragoninitiativeenterprises

 My only concern with Gossamer is specific to:

 > Rewinds the ledger to the genesis block and plays through each
 subsequent update to ensure that the final state that WordPress sees is
 deterministic.

 Verification of these blocks takes some time. Having lots of them results
 in an indeterminate amount of time to do so. This could mean that a DOS is
 as simple as doing many releases.

 > Plugin/theme developers would need tooling to generate/manage their
 signing keys.

 Another DOS attack vector (that's used in the wild with GPG, I can't
 recall the name of it right now), is to simply sign a key with hundreds,
 or even thousands of other randomly generated keys. Verifying the
 signatures takes time and can even keep a very powerful computer busy for
 quite a while (months?). This could be exploited by building or purchasing
 a simple but useful plugin and then updating the signing key to one that
 can DOS the entire network and all sites.

 As long as these are mitigated while still maintaining security, we'll
 probably benefit from something like Gossamer.

 Here are my issues with code signing, in general:

 The keys expire, which is ridiculous. Either the release was authentic
 when it was released or it wasn't. The fact that some amount of time
 passed doesn't make it any less authentic.

 When a package is signed by a developer, we have to assume that the keys
 have been protected. Generally, they might be, or they might not be. It's
 probably better to keep the keys in an HSM and let that handle signing.
 The Foundation is probably in a better position to protect the keys than
 the average developer.

 By that token, developers could get issued a one-time signing key that's
 signed by the key protected in hardware. That key would be revoked if not
 used in a certain amount of time or if used more than once. It could also
 be revoked by emailing/texting the developer with a one-click link when
 issued.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/39309#comment:93>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list