Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:69147
Return-Path: <rdlowrey@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 48861 invoked from network); 16 Sep 2013 13:58:42 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 16 Sep 2013 13:58:42 -0000
Authentication-Results: pb1.pair.com smtp.mail=rdlowrey@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=rdlowrey@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.223.182 as permitted sender)
X-PHP-List-Original-Sender: rdlowrey@gmail.com
X-Host-Fingerprint: 209.85.223.182 mail-ie0-f182.google.com  
Received: from [209.85.223.182] ([209.85.223.182:49897] helo=mail-ie0-f182.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id B5/B3-27599-19E07325 for <internals@lists.php.net>; Mon, 16 Sep 2013 09:58:41 -0400
Received: by mail-ie0-f182.google.com with SMTP id aq17so7566456iec.13
        for <internals@lists.php.net>; Mon, 16 Sep 2013 06:58:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:cc:content-type;
        bh=9HsmioKeqyo1Agi6ecl+FikKJIO7i3lJQN3BYCeVfI8=;
        b=A66ak8id14/7pVkZhWw6jCIP6mLsB36v7UoaGXtwOVleinU2XL8tHDCxuCASCdYkwo
         CnsQFr9Cy10o2n81Lzg3HbNy8ohmDdBEc+ch3tcvRcuCvUMc2mFR4P874q5eyIB5ITVq
         dO5MK8hyn8Wn8aDPZ3EikiZ+X+0CSihriC2EXfG3P8CiOvpVz7E1+SBeAFNMYuCwE+XN
         ukViJfbI4OBHT0TDHYOJ+HqASF8txIYnYFlnnAPsz7JGmCQBMQ5euMJk+zxQDHURfFxq
         z163JpjVUAIxrkzVfL/Sg6Shpy+nK6ElxeAEW1BNsHN0n10cumAz97pjtwo3XBMRZDr/
         kSOA==
MIME-Version: 1.0
X-Received: by 10.43.93.5 with SMTP id bs5mr151874icc.32.1379339918703; Mon,
 16 Sep 2013 06:58:38 -0700 (PDT)
Received: by 10.50.228.48 with HTTP; Mon, 16 Sep 2013 06:58:38 -0700 (PDT)
Date: Mon, 16 Sep 2013 09:58:38 -0400
Message-ID: <CAH8MpnnTGD0xAwG1j9sh10EC6XzdscVRLbJzEMG6qWSBK5c17w@mail.gmail.com>
To: johannes@schlueters.dot.de
Cc: addw@phcomp.dot.co.uk, "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=bcaec519691de108f004e68099a5
Subject: Re: Re: PHP Crypt functions - security audit
From: rdlowrey@gmail.com (Daniel Lowrey)

--bcaec519691de108f004e68099a5
Content-Type: text/plain; charset=ISO-8859-1

> PHP itself doesn't do much crypto stuff. We rely mostly on libs like
> openssl etc. and provide hashing algorithms which follow the
> specifications. If the specifications are bad this is a global non-PHP
> issue.

That's all true, of course. But there are still places where new patches to
the underlying libs (like openssl) get lost in translation and it's PHP's
responsibility to add support. For example, about a year ago the CRIME
attack vector (
https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls)
was publicized. Preventing CRIME attacks is trival: disable compression at
the TLS layer. The OpenSSL folks quickly provided the SSL_OP_NO_COMPRESSION
constant in response, but it wasn't until a couple of months ago that I
supplied a patch (http://lxr.php.net/xref/PHP_5_5/ext/openssl/xp_ssl.c#398)
allowing a stream context option to disable compression on TLS streams.
This means that for ~8-9 months any PHP code using the native encryption
context options with `stream_socket_server()` was vulnerable.

Now, I'm aware that very few developers use PHP to develop heavy-duty
encrypted servers. Indeed there's a misconception that CLI PHP isn't
capable of functioning in long-running server environments (not true). In
such scenarios it doesn't help that PHP delegates the actual encryption to
other libs under the hood -- we still need to implement security fixes as
they become available.

Perhaps more importantly, it's incumbent upon PHP to keep documentation
up-to-date on these kinds of issues. The disable_compression ssl:// stream
context option used to prevent the CRIME attack (above) is still not
reflected in the php.net documentation ...

*** THIS IS MY FAULT ***

I should have submitted a docs patch as well, but failed to do so. I'll
make that happen this week.

More generally, PHP's stream encryption aspects are quite poorly
documented. For example, https:// streams disable peer verification by
default. While I understand that this is necessary to provide the easiest
possible user experience for things like `file_get_contents("
https://somesite.com")`, it's also horribly insecure. 99% of people using
tools like this won't know anything about this "feature" and won't realize
that their stream transfers are totally vulnerable to Man-in-the-Middle
attacks by default.

IMO education and documentation is an important step we can take on the
security front right now that's decoupled from any of the implementation
code. Security should be treated proactively and not reactively and this is
an area where improvement is necessary. I can't think of a better way to
generate bad press for PHP than to have PHP code publicly exploited. That
said, documenting things like this take time and we're all busy. I'll make
an effort myself to improve documentation (at least with regard to standard
SSL/TLS use-cases), but I'm only one person and I'm not a security expert
by any means. I think it's important for anyone familiar with this area to
also spend some time to see where the official documentation can be
improved and explained.

It's not enough to provide secure functionality -- we need to make sure its
possible for people to understand how to implement that functionality in a
secure way.

--bcaec519691de108f004e68099a5--