Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:69143 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 37373 invoked from network); 16 Sep 2013 11:57:13 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 16 Sep 2013 11:57:13 -0000 Authentication-Results: pb1.pair.com smtp.mail=johannes@schlueters.de; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=johannes@schlueters.de; sender-id=unknown Received-SPF: error (pb1.pair.com: domain schlueters.de from 217.114.215.10 cause and error) X-PHP-List-Original-Sender: johannes@schlueters.de X-Host-Fingerprint: 217.114.215.10 mail.experimentalworks.net Received: from [217.114.215.10] ([217.114.215.10:34896] helo=mail.experimentalworks.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F3/D1-27599-812F6325 for ; Mon, 16 Sep 2013 07:57:12 -0400 Received: from [192.168.2.20] (ppp-188-174-42-228.dynamic.mnet-online.de [188.174.42.228]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: johannes@schlueters.de) by mail.experimentalworks.net (Postfix) with ESMTPSA id B1D813FE86; Mon, 16 Sep 2013 13:57:15 +0200 (CEST) To: Alain Williams Cc: internals@lists.php.net In-Reply-To: <20130916105630.GZ3919@phcomp.co.uk> References: <20130916105630.GZ3919@phcomp.co.uk> Content-Type: text/plain; charset="UTF-8" Date: Mon, 16 Sep 2013 13:56:58 +0200 Message-ID: <1379332618.3097.8363.camel@guybrush> Mime-Version: 1.0 X-Mailer: Evolution 2.30.3 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] PHP Crypt functions - security audit From: johannes@schlueters.de (Johannes =?ISO-8859-1?Q?Schl=FCter?=) On Mon, 2013-09-16 at 11:56 +0100, Alain Williams wrote: > In the light of the recent scandal of the NSA (& others) attacking encryption > would it be a good idea to see if we can get an audit of all the security > related code in PHP ? It would do a bit to help boost confidence in PHP - and > might even find something (although I hope not). PHP itself doesn't do much crypto stuff. We rely mostly on libs like openssl etc. and provide hashing algorithms which follow the specifications. If the specifications are bad this is a global non-PHP issue. > What I am thinking of: > > * done by people outside of the usual PHP community. If you get reviewers to review our code we're happy to receive feedback on bugs.php.net or security@php.net. > * the final report, and any interim ones, to be published in their entirety. > > * done by people who have real clue when it comes to security [count me out :-) ]. The issue is that most people with "real clue" either charge a lot of money or tend to do more self-promotion than actual help. > Why ? To improve the public confidence in PHP. > > Just in case you have been living under a stone recently: > > https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html Note that most of these things don't refer to PHP directly. i.e. encryption between user and PHP is usually done by the web server. Encryption between PHP and databases by database libraries. If applications built on top of PHP don't do proper end-to-end encryption it is also no issue of the platform in itself. johannes