PHP Crypt functions - security audit

11 years ago by Alain Williams — view source

unread

In the light of the recent scandal of the NSA (& others) attacking encryption
would it be a good idea to see if we can get an audit of all the security
related code in PHP ? It would do a bit to help boost confidence in PHP - and
might even find something (although I hope not).

What I am thinking of:

done by people outside of the usual PHP community.
the final report, and any interim ones, to be published in their entirety.
done by people who have real clue when it comes to security [count me out :-) ].

Why ? To improve the public confidence in PHP.

Just in case you have been living under a stone recently:

https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html

--
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php
#include <std_disclaimer.h

11 years ago by johannes@schlueters.de — view source

unread

In the light of the recent scandal of the NSA (& others) attacking encryption
would it be a good idea to see if we can get an audit of all the security
related code in PHP ? It would do a bit to help boost confidence in PHP - and
might even find something (although I hope not).

PHP itself doesn't do much crypto stuff. We rely mostly on libs like
openssl etc. and provide hashing algorithms which follow the
specifications. If the specifications are bad this is a global non-PHP
issue.

What I am thinking of:

done by people outside of the usual PHP community.

If you get reviewers to review our code we're happy to receive feedback
on bugs.php.net or security@php.net.

the final report, and any interim ones, to be published in their entirety.

done by people who have real clue when it comes to security [count me out :-) ].

The issue is that most people with "real clue" either charge a lot of
money or tend to do more self-promotion than actual help.

Why ? To improve the public confidence in PHP.

Just in case you have been living under a stone recently:
https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html

Note that most of these things don't refer to PHP directly. i.e.
encryption between user and PHP is usually done by the web server.
Encryption between PHP and databases by database libraries. If
applications built on top of PHP don't do proper end-to-end encryption
it is also no issue of the platform in itself.

johannes

11 years ago by Alain Williams — view source

unread

Note that most of these things don't refer to PHP directly. i.e.
encryption between user and PHP is usually done by the web server.
Encryption between PHP and databases by database libraries. If
applications built on top of PHP don't do proper end-to-end encryption
it is also no issue of the platform in itself.

I am aware of that. Unless we are careful all the components in an application
stack (of which PHP is just one part) will just sit on their hands and tell
people to look elsewhere. I am trying to kick start something that other
components will pick up and do their bit.

One other point is that the functions in the various libraries (at the C
programming level) have got to be called with all manner of arguments, some of
which are not visible at the PHP level. Are these the correct ones ?

The difference between something that works and something that is really secure
can, sometimes, be subtle/non_obvious.