[wp-trac] [WordPress Trac] #49200: Allow Developers to Cryptographically Sign Their Own Plugins/Themes with the Gossamer Public Key Infrastructure (PKI)

WordPress Trac noreply at wordpress.org
Thu Jan 16 04:09:34 UTC 2020


#49200: Allow Developers to Cryptographically Sign Their Own Plugins/Themes with
the Gossamer Public Key Infrastructure (PKI)
------------------------------------------+------------------------------
 Reporter:  paragoninitiativeenterprises  |       Owner:  (none)
     Type:  enhancement                   |      Status:  new
 Priority:  normal                        |   Milestone:  Awaiting Review
Component:  Upgrade/Install               |     Version:  trunk
 Severity:  normal                        |  Resolution:
 Keywords:                                |     Focuses:
------------------------------------------+------------------------------

Comment (by paragoninitiativeenterprises):

 Hi @ayeshrajans. Thank you for the insightful comment.

 I think you misunderstood the architecture a bit.

 The only package that will be installed on any WordPress machine is
 [[https://github.com/paragonie/libgossamer/blob/master/composer.json|libgossamer]],
 not [[https://github.com/paragonie/gossamer-
 server/blob/master/composer.json|gossamer-server]] (which can also exist
 as a WordPress plugin so people don't have to trust external servers that
 run slim, etc.). The version of libgossamer that will be included in the
 WP core patch will only depend on `wpdb`, `Wp_Http`, and the already-
 present sodium_compat. (We aren't using Composer to automatically fetch
 dependencies when we write a WordPress patch.)

 A lot of the concerns about external dependencies and trust follow from
 this misunderstanding, so I shall not dwell on them further. If you feel
 any of them are still worthy of examination in the context of a
 libgossamer dependency, not a gossamer-server dependency, please let me
 know which ones. We don't want to beat a dead horse (as the idiom goes),
 but we also want to make sure any standing criticisms are fully discussed.

 > I find the update signing in Composer and Phar-IO to be least invasive
 yet functional.

 Incidentally, we are preparing a congruent proposal for
 Composer/Packagist.

 The problem with signed Phars is that you can strip them easily. Simply
 delete the pubkey file and replace the OpenSSL signature with a SHA1 hash
 and PHP will happily run unsigned code again.

 > They rely on openssl and gpg, which had several security
 vulnerabilities, but are trusted available to be used by pretty much every
 LAMP stack.

 OpenSSL and PGP would downgrade our proposal to use:

 * [[https://www.deepinstinct.com/2020/01/15/cve-2020-0601-what-you-need-
 to-know|X.509]]
 * [[https://latacora.micro.blog/2019/07/16/the-pgp-problem.html|PGP]]
 * [[https://robotattack.org|RSA]] - See also:
 [[https://latacora.micro.blog/2018/04/03/cryptographic-right-answers.html
 #asymmetric-signatures|Don't use RSA]] and
 [[https://blog.trailofbits.com/2019/07/08/fuck-rsa/|Seriously, Stop Using
 RSA!]]

 The experts in software security and cryptography are almost unanimously
 opposed to the incumbent tools. The reasons are varied, but mostly:

 1. They introduce a lot of unnecessary complexity, which makes the
 security predictions pessimistic.
 2. They invite you to chase the lowest denominator of cryptography
 primitives (e.g. RSA with PKCS1v1.5 padding) rather than simply secure
 [[https://cr.yp.to/talks/2015.10.05/slides-djb-20151005-a4.pdf|boring
 crypto]] (PDF).
 3. Many of these projects were designed by hobbyists and advocated by
 activists who were well-meaning but largely out of their depth when it
 comes to secure protocol design.

 Aside: Libgcrypt (which powers GnuPG) is basically an entire undergraduate
 course in side-channel cryptanalysis. Instead of fixing GPG, experts are
 designing tools to replace it entirely, like
 [[https://github.com/FiloSottile/age|age]] and
 [[https://github.com/jedisct1/minisign|minisign]]. Do not resuscitate.

 With all that in mind, opting for RSA/PGP/X.509 isn't being conservative
 with security. It's regressive, in this case.

 > Because of the lack of an audit

 If an audit would give the WordPress community confidence in what's being
 offered, surely the WordPress community can fund one?

 If anyone reading this is wondering why we insist the community fund an
 audit, ask yourself, "Is it reasonable to expect the person or team who's
 put hundreds of hours of unpaid cryptography engineering work into solving
 this problem, with no plans to monetize their solution, to further pony up
 tens or even hundreds of thousands of dollars out of their own pocket to
 pay their competitors to conduct an audit?"

 If an audit is necessary, then it should be on the community to fund one.

 If the community cannot or will not fund an audit, then the "lack of an
 audit" objection has no standing and should be put to rest in future
 discussions about this project unless the funding calculus changes.

 > and the novel approach instead of using established PKI, all these 35.5%
 of web sites would be indirectly trusting your organization to keep the
 word and take your PKI approach instead.

 What trust does the WordPress community have to give us, exactly?

 * The entire Gossamer PKI is deterministic and auditable. No one can abuse
 it without getting caught.
 * We will not have any privileged position (e.g. the "Super Provider"; the
 WordPress security team will have control over that).
 * Our designs are 100% open source, and permissively licensed.

 The standard for cryptographic transparency is called "nothing up my
 sleeves", wherein all design decisions are justified clearly and nothing
 gives the designer an unfair advantage (e.g. a backdoor).

 Gossamer isn't just "nothing up my sleeves" transparency, it's more like
 "stark naked with an RFID tracking chip that anyone can monitor" levels of
 transparency.

 The only trust that anyone has to have is that we implemented the
 algorithms correctly (but only if you don't have ext/sodium installed) and
 that our protocol is actually secure.

 (The entire point of Gossamer's design is to keep power in the hands of
 the community, rather than an elite class of experts. We abhor power-
 seeking behavior.)

 > I think the question ultimately comes down to the politics and trust
 considerations ... and whether the PKI approach can stand against the
 masses.

 (Snipped for the above consideration about dead horses.)

 If the answer turns out to be "No, the PKI approach cannot stand against
 the masses," then it will require an scientific breakthrough in modern
 cryptanalysis and secure protocol design.

 Breakthroughs are difficult to predict, but given the slowed rate of hash
 functions being broken (SHA-2 is still secure, despite decades of
 attempts), it seems unlikely to happen.

 > What sort of trust do we (as WordPress community) has for Gossamer to be
 included by default in world's most wide-spread web platform?

 This is an excellent question that everyone should ask themselves
 earnestly. We'd love to hear what the community needs, and then outline a
 strategy to meet those needs.

 If the WordPress community feels that they need cryptography experts to
 chime in, Paragon Initiative Enterprises is ''kind of the only game in
 town'' for PHP cryptography. (This wasn't our doing, either. We abhor
 gate-keeping.)

 > As someone who wishes WordPress (and many PHP packages for that matter)
 to adopt automatic updates that trust for developers are established
 without secure channels or middleman, I really wish your efforts will
 fruitful.

 Thanks!

 > May I ask what prevents you from providing this solution as a plugin?

 Insecure by default means insecure in practice. Making this an optional
 feature means most people will not benefit from better security.

 I mean, for all any of us know, this could all be for naught. While we're
 discussing ways to prevent a supply-chain attack, someone else could be
 ready to press the Enter key on their exploit to burn it all down. There
 are no guarantees in life, we just have to do the best we can.

 A temporary plugin can absolutely be developed for testing purposes prior
 to mass adoption, but the end goal should absolutely be ubiquitous
 deployment to the entire ecosystem.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/49200#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list