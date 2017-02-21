PHP Becomes First Programming Language To Add 'Modern' Cryptography Library In Its Core (bleepingcomputer.com) 35
An anonymous reader writes from a report via BleepingComputer: The PHP team has unanimously voted to integrate the Libsodium library in the PHP core, and by doing so, becoming the first programming language to support a modern cryptography library by default. Developers approved a proposal with a vote of 37 to 0 and decided that Libsodium will be added to the upcoming PHP 7.2 release that will be launched towards the end of 2017. Scott Arciszewski, the cryptography expert who made the proposal, says that by supporting modern crypto in the PHP core, the PHP team will force the WordPress team to implement better security in its CMS, something they avoided until now. Additionally, it will allow PHP and CMS developers to add advanced cryptography features to their apps that run on shared hosting providers, where until now they weren't able to install custom PHP extensions to support modern cryptography. Other reasons on why he made the proposal are detailed here. Arciszewski also says that PHP is actually "the first" programming language to support a "modern" cryptography library in its core, despite Erlang and Go including similar libraries, which he claims are not as powerful and up-to-date as PHP's upcoming Libsodium implementation.
Any language where the default equality comparison operator is *true* given two string-type variables with values "0E54321" and "0E12345" is not a cryptographically secure language. In fact there is a nonzero chance of the default equality operator returning true between two different MD5 or SHA256 hashes if they happen to fall into a hexadecimal form that is all digits except for one E or F.
PHP has a comparison operator === that evaluates if the two things it is comparing are equal and of the same type.
$ php -r "if (\"0E54321\" === \"0E12345\") { echo 'equal'; } else { echo 'not equal'; } "
not equal
Without ===, variable type conversion can cause a string containing numbers to be converted to an integer. See these links for details:
http://php.net/manual/en/langu... [php.net]
http://php.net/manual/en/langu... [php.net]
Arciszewski also says that PHP is actually "the first" programming language to support a "modern" cryptography library in its core, despite Erlang and Go including similar libraries, which he claims are not as powerful and up-to-date as PHP's upcoming Libsodium implementation.
So it's the first to support a modern cryptography library, as long as you define "modern" to mean "the one that we're using."
It's easy to be first to do something if you place enough arbitrary restrictions on what that something is.
"Modern" is for CS people like "Alternative facts" is for politicians.
I don't even understand the point of the claim. So the interpreter has a baked-in crypto library? And how is that different than simply #including a crypto library, which has the added bonus that you can pick any number of crypto libraries.
Hey, you're the first user in this thread whose user id starts with 15680 to say THAT.
I think the point is "first" is a weird word to use when you are talking about "modern" as "modern" changes with time.
OpenSSL or mcrypt or whatever else you might point to were "modern" when they were "first" used, even if they aren't "modern" any more.
"Only" might be a better choice if you are talking about the current time.
So they'll be the first to do it wrong? (Score:3)
I'll stick to every other language that has had libsodium bindings for a while now.
Re:So they'll be the first to do it wrong? (Score:4, Funny)
I'm just waiting for them to release the libsodium bindings for C...
libsodium is a C library (Score:1)
Too little... too late... (Score:2)
Ahhh PHP.... (Score:2)
PHP, the "Speak 'n Spell" of programming languages.... More marketing fluff.
PHP is one of the programming languages, which load all stuff into the core (which can be quite a disadvantage), but other languages use a library by a single include. So what?
.so file, which can be loaded, but isn't required to be used. So the "core" is relative as well. Actually its a bundled module.
And even php has it into a
Perhaps instead of building everything and ..... (Score:1)
.... a kitchen sink into the core, they could have instead done a *sane* way to include additional modules.
Perl and Python for example have no problem loading user-specific or script-specific modules, not like the "system wide or nothing" approach of PHP. ( which of course doesn't work with shared hosting. )
Other languages did this first (Score:2)
I remember when Java was the first language to do this. Shortly after that, C# was the first language to do this. Now PHP is the first language to do this. So who will be the next one to do it first?