[wp-trac] [WordPress Trac] #39309: Secure WordPress Against Infrastructure Attacks
WordPress Trac
noreply at wordpress.org
Fri Nov 15 06:22:34 UTC 2019
#39309: Secure WordPress Against Infrastructure Attacks
------------------------------------------+-----------------------------
Reporter: paragoninitiativeenterprises | Owner: pento
Type: task (blessed) | Status: reopened
Priority: normal | Milestone: Future Release
Component: Upgrade/Install | Version: 4.8
Severity: critical | Resolution:
Keywords: has-patch | Focuses:
------------------------------------------+-----------------------------
Comment (by paragoninitiativeenterprises):
After a brief discussion with @dd32 on Slack, it's come to my attention
that the WordPress core team is generally confused about the status of
this ticket. So I will now attempt to clarify the situation and hopefully
that will enable everyone to make the correct choice, moving forward.
In https://core.trac.wordpress.org/ticket/39309#comment:89, Dion said
there were some performance issues (since fixed) in 32-bit platforms. And
then he dumped a whole lot of questions about key compromise that are out
of scope for the "signed core updates" problem.
There are two mutually exclusive problems. #39309 only concerns itself
with the first problem, not the second, and you should NOT roll back the
solution for one in want of the other.
1. Signing core updates.
2. Signing plugins and themes.
The reason these two are separate is simple: Core update signing (done
offline, from an airgapped machine) requires far less complexity than
plugin/theme updates.
Signing plugin and theme updates requires one of two different strategies:
1. Online signing by the core team (which is dangerous since your signing
keys must be connected to the Internet, even if through a proxy server,
instead of being kept offline).
2. Building a Public Key Infrastructure (PKI).
You really don't want your signing keys exposed to the Internet. So we're
forced into the latter option to solve the second problem.
**But this doesn't have a lick to do with the first problem.** You can use
the solution provided in #39309, with an updated sodium_compat (#48371),
and safely tell every WordPress install to check the Ed25519 signatures
tomorrow.
Gossamer is a proposal to solve the PKI problem without reinventing X.509.
Worth watching: https://www.youtube.com/watch?v=ibF36Yyeehw
#39309 doesn't care about PKI, and we don't need a PKI solution in order
to have signed automatic updates of the WordPress core.
But #39309 is also not suitable for, for example, signing theme/plugin
updates. And it was never advertised as appropriate for that. (So why did
anyone try to use it for that?)
The solution provided in ticket is only for the core updates. Nothing
more, nothing less.
If you want to know the status of the ticket (which I will remind you has
nothing to do with PKI, key revocation, etc.), keep signing the updates
and collecting telemetry.
Once the errors are below the noise floor of misconfigured systems and
hardware failures disguising themselves as software bugs, ''enforce
them''.
**That's all you have to do.**
Don't roll anything back. That's reckless and basically tells criminals,
"Hey! We don't care about security. Please hack our update server and turn
34% of websites into a botnet, then DDoS the core infrastructure and make
everyone's lives miserable."
I'll open another ticket this weekend to discuss the "Allow developers to
sign their own updates" problem, which will almost certainly involve
implementing a PKI.
If anyone thought the solution in #39309 (this ticket) was incomplete
because they believed there was only one problem to solve, rather than two
mutually exclusive and orthogonal problems with a little bit of shared
plumbing, I hope this comment clarifies the situation.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39309#comment:103>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list