PHP Becomes First Programming Language To Add 'Modern' Cryptography Library In Its Core (bleepingcomputer.com) 76
An anonymous reader writes from a report via BleepingComputer: The PHP team has unanimously voted to integrate the Libsodium library in the PHP core, and by doing so, becoming the first programming language to support a modern cryptography library by default. Developers approved a proposal with a vote of 37 to 0 and decided that Libsodium will be added to the upcoming PHP 7.2 release that will be launched towards the end of 2017. Scott Arciszewski, the cryptography expert who made the proposal, says that by supporting modern crypto in the PHP core, the PHP team will force the WordPress team to implement better security in its CMS, something they avoided until now. Additionally, it will allow PHP and CMS developers to add advanced cryptography features to their apps that run on shared hosting providers, where until now they weren't able to install custom PHP extensions to support modern cryptography. Other reasons on why he made the proposal are detailed here. Arciszewski also says that PHP is actually "the first" programming language to support a "modern" cryptography library in its core, despite Erlang and Go including similar libraries, which he claims are not as powerful and up-to-date as PHP's upcoming Libsodium implementation.
Oh please (Score:3, Interesting)
Any language where the default equality comparison operator is *true* given two string-type variables with values "0E54321" and "0E12345" is not a cryptographically secure language. In fact there is a nonzero chance of the default equality operator returning true between two different MD5 or SHA256 hashes if they happen to fall into a hexadecimal form that is all digits except for one E or F.
Anyone who claims that PHP is somehow more secure as a language because it has added *new optional library calls* without doing anything about the fundamental language defects is demented.
Re: Queue the Rust is better people (Score:2)
Cue*
Re: (Score:3)
PHP has a comparison operator === that evaluates if the two things it is comparing are equal and of the same type.
$ php -r "if (\"0E54321\" === \"0E12345\") { echo 'equal'; } else { echo 'not equal'; } "
not equal
Without ===, variable type conversion can cause a string containing numbers to be converted to an integer. See these links for details:
http://php.net/manual/en/langu... [php.net]
http://php.net/manual/en/langu... [php.net]
Re:Oh please (Score:4, Interesting)
Except for objects, where a === b is true only if a and b are the same object. Such a beautifully designed language.
Re: (Score:2)
Please tell me you are kidding me on this? I haven't touched PHP so this is all new to me...if it is true.
Re: (Score:3)
Oh, how i wish i was: https://developers.slashdot.or... [slashdot.org]
Re: (Score:2)
even the double equals of C is one of the least "beautiful" design decisions ever made.
It's not because some not so good programmers confuse '=' with '==' that '==' is not "beautiful". On the contrary, I think this is one of the many genius ideas K&R had at the time ('a = b', 'a == b'... think about it!)
Re: (Score:2)
Except for objects, where a === b is true only if a and b are the same object
In Java, a == b is true if a and b references are identical, which is probably what does PHP under the hood.
Re: (Score:2)
Yes. Now go ahead and guesstimate the percentage of major PHP software packages accidentally using == where the developer should have used ===.
Whose fault is that?
Same type inequality comparison operators? (Score:2)
Is there also a "less than and of the same type" operator? Or is calling strcmp() the best practice for this?
Re: (Score:2)
if ("0E54321" === "0E12345") { echo 'equal'; } else { echo 'not equal'; }
Too bad your example is useless (like 80% of PHP's doc examples anyway), since if ("0E54321" == "0E12345") (only 2 '=') yields also 'not equal'. A more relevant example is if ("123" === 123) (yields false but '==' yields true).
Re: (Score:2)
Without ===, variable type conversion can cause a string containing numbers to be converted to an integer.
Yep, and as much as I like php, I'll be the first to say that php's "converting a string to an integer" as a default behavior is idiotic. It's just an accident waiting to happen.
Re:Oh please (Score:4, Interesting)
Any language where the default equality comparison operator is *true* given two string-type variables with values "0E54321" and "0E12345" is not a cryptographically secure language. In fact there is a nonzero chance of the default equality operator returning true between two different MD5 or SHA256 hashes if they happen to fall into a hexadecimal form that is all digits except for one E or F.
Technically, that (in itself) doesn't necessarily mean that the built-in cryptography nor the language itself are inherently insecure. In theory, that is, provided you understand the language and use it correctly.
And that's the problem. Because in practice, PHP's design philosophy of trying to be clever- often too clever by half- when it comes to comparisons, equality, automatic coercion, data types, etc. etc. too often gives unpredictable and unexpected results from people who weren't aware of that behaviour.
You absolutely do *not* want any risk of this happening when you're designing a system that has to be secure. You want boringly explicit and utterly predictable data and type handling.
My prediction is that far, *far* more security holes will be down to bugs caused by unforeseen subtle aspects- i.e. pitfalls- of PHP's type handling and equality behaviour (etc.) in the apps using it rather than bugs in the cryptographic module itself.
PHP being a language more favoured by inexperienced users, this is likely to be made far worse. Expect lots of newbies with misplaced confidence designing what they think are "secure" apps that are in fact full of holes- either because they've misused or misunderstood the cryptographic module, or because they've overlooked some basic aspect of computer security elsewhere (e.g. failure to parse input securely) that makes the use of cryptography irrelevant.
And those are the sorts of mistakes newbies would make when using any language- with PHP's language design issues on top of that, it has the potential to be far worse.
So, yeah. I trust that the module will be secure. The main problems- I guarantee- will be caused by caused by overlooked (or not known about) aspects of PHP's too-clever-by-half data handling (in client apps using it) leading to exploitable holes, and by the fact that too many of PHP's newbie-skewing userbase will overconfidently assume it makes their apps foolproof while using it incorrectly and ignoring security holes elsewhere that make it redundant.
Re: (Score:2)
Agreed. The problem is not the library - PHP is intrinsically insecure. I'm not aware of any other language out there that can reliably be made to segfault [php.net] and whose developers argue such behavior is working as intended.
SubjectsSuck (Score:5, Informative)
Arciszewski also says that PHP is actually "the first" programming language to support a "modern" cryptography library in its core, despite Erlang and Go including similar libraries, which he claims are not as powerful and up-to-date as PHP's upcoming Libsodium implementation.
So it's the first to support a modern cryptography library, as long as you define "modern" to mean "the one that we're using."
It's easy to be first to do something if you place enough arbitrary restrictions on what that something is.
Re: (Score:3)
"Modern" is for CS people like "Alternative facts" is for politicians.
Re: (Score:3)
I don't even understand the point of the claim. So the interpreter has a baked-in crypto library? And how is that different than simply #including a crypto library, which has the added bonus that you can pick any number of crypto libraries.
Would you prefer an interpreted crypto library? (Score:2)
And how is that different than simply #including a crypto library, which has the added bonus that you can pick any number of crypto libraries.
I can see three ways to proceed:
Re: (Score:1)
Libsodium is an extended fork of Daniel J. Bernstein's [wikipedia.org] original NaCl [cr.yp.to] project (not to be confused with Google Native Client), which is a cryptography library developed with the overarching aim of simplifying (and improving the implementation-level safety of) the practical use of strong cryptographic constructs. The "big idea" behind NaCl was to abstract away many of the low-level choices and technical details associated with various cryptographic primitives in favor of more "generic" interfaces, utilizing im
Re: (Score:1)
Hey, you're the first user in this thread whose user id starts with 15680 to say THAT.
Re: (Score:3)
I think the point is "first" is a weird word to use when you are talking about "modern" as "modern" changes with time.
OpenSSL or mcrypt or whatever else you might point to were "modern" when they were "first" used, even if they aren't "modern" any more.
"Only" might be a better choice if you are talking about the current time.
So they'll be the first to do it wrong? (Score:3)
I'll stick to every other language that has had libsodium bindings for a while now.
Re:So they'll be the first to do it wrong? (Score:5, Funny)
I'm just waiting for them to release the libsodium bindings for C...
Re: (Score:2)
The only way to really get libsodium to bind with C is to use Google's Native Client environment.
libsodium is a C library (Score:2)
Too little... too late... (Score:2)
Re: (Score:2)
I'm using Pelican (Python) to convert my websites into static websites. With nothing to hack, script kiddies go away.
How do you edit your Pelican-powered website while away from your home PC? Skiddies can hack through that.
Ahhh PHP.... (Score:2)
PHP, the "Speak 'n Spell" of programming languages.... More marketing fluff.
BULLSHIT! (Score:2)
BULLSHIT! BULLSHIT! BULLSHIT!
PHP is one of the programming languages, which load all stuff into the core (which can be quite a disadvantage), but other languages use a library by a single include. So what?
.so file, which can be loaded, but isn't required to be used. So the "core" is relative as well. Actually its a bundled module.
And even php has it into a
Perhaps instead of building everything and ..... (Score:2)
.... a kitchen sink into the core, they could have instead done a *sane* way to include additional modules.
Perl and Python for example have no problem loading user-specific or script-specific modules, not like the "system wide or nothing" approach of PHP. ( which of course doesn't work with shared hosting. )
Other languages did this first (Score:4, Interesting)
I remember when Java was the first language to do this. Shortly after that, C# was the first language to do this. Now PHP is the first language to do this. So who will be the next one to do it first?
Re: (Score:2)
guess back in the late 80s ANSI weren't smart enough to include block cipher libraries we were calling from FORTRAN and C into the languages. pfft, php never disappoints, it's like the QBASIC of the 21st century
I'm not sure this is a good idea (Score:2)
Gotta love PHP ... (Score:2)
I'm smiling while I read this.
Every single bit of this news is sooo PHP and one of the reasons this awkward mess of a PL is so successful. [slashdot.org]
They find something new or something they need and bolt it on. Just like that. End of story. A vote on the core team, a little coding and *BAM* PHP has a new inner API function with what has to be the most over-the-top all-out-PHP-style name for an inner API function ever - sodium_crypto_box_keypair_from_secretkey_and_publickey($ecdh_secret, $ecdh_public); (seriously,
Monte beat PHP by a year! (Score:2)
My beloved Monte https://monte.rtfd.org/ [rtfd.org] beat PHP to this by a wide stretch. While it's true that PHP is a big established language, that doesn't mean that they get to claim sudden leaps in innovation which didn't happen. I've tweeted at the author of the blog post https://twitter.com/corbinsimpson/status/834175224736157696 [twitter.com] with timestamped commits from the Monte codebase.
So, you're embedding libsoduim... (Score:4, Interesting)
...which effectively prevents me from updating it. Great choice for a security library guys.
Re: (Score:2)
Sorry, that is not enough. There's a vast difference from updating a crypto library (which can happen, f.ex, due to security updates) to updating the whole damn language, which can have system-wide implications.
Every time I see a PHP job ad I think (Score:1)
"...man, you guys must have some serious technical debt"
I built a startup's entire stack on PHP back in the 2003-2006 time, now I look back and SMH at the foolishness. If you want a quick'n'weakly-typed language (which I often do), Python beats the crap out of PHP, as well as being ten times more readable.