WPTavern: Matt Mullenweg Responds to Security Rant: Digital Signatures for WordPress Updates Are Important but Not a Priority
Scott Arciszewski, Chief Development Officer for Paragon Initiative Enterprises, who is most widely known for his cryptography engineering work, published a post on Medium criticizing Matt Mullenweg, co-creator of the WordPress open-source software project, for not caring enough about security. Arciszewski has since retracted the post but you can read it via the Wayback Machine.
Arciszewski is working on a project known as libsodium, a core extension to PHP 7.2 which allows for encryption, decryption, signatures, password hashing and more. Its goal is to enable developers to build higher-level cryptographic tools.
WordPress’ automatic update system is handled through api.wordpress.org. Since updates do not have a digital signature, if api.wordpress.org were compromised, attackers could send malicious updates to thousands or millions of sites. This scenario was at the forefront of people’s minds late last year after Wordfence published details of a complex security vulnerability that could have compromised the update servers.
Arciszewski suggests offline code signing and elliptic curve cryptography as solutions, “The key that can produce a valid signature for a file isn’t stored on the server (only the file itself and a valid signature are), so even if the server gets hacked, attackers can’t just add trojan horse malware to the file,” he said.
OpenSSL is an extension of PHP and is commonly used as public-key cryptography but it only supports RSA which Arciszewski deems inadequate. Since WordPress is written in PHP and supports versions 5.2-7+, Arciszewski needed to create a solution that was as compatible. This inspired him to create sodium_compat that adds Ed25519 signature verification to WordPress’ automatic updater.
Arciszewski submitted a number of patches to WordPress but was told by Dion Hulse, WordPress core developer, that the sodium_compat library could not be merged into core until it passed a security audit by a third-party. Audits can cost a lot of money so Arciszewski’s plan was to see if Automattic could take on some of the cost or crowd-source the funds. However, his project was put on hold after Mullenweg informed Hulse to stop working on the feature as it’s not related to the three core focus areas of the Editor, Customizer, and the REST API.
Arciszewski described the decision as irresponsible and that every user has a reason to be alarmed, “The WordPress team has shown that they are not responsible enough to govern their impressive ownership of the Internet (with the exception of some folks powerless to correct the organization’s course),” he said. “This act of negligence will put the rest of the web in harm’s way.”
Update Signing is Important but Not a Priority
Mullenweg responded to the post on Medium.com with one of his own and reiterated the WordPress development team’s commitment to security.
“Everyone involved takes their responsibility very seriously, and the growth of WordPress has meant many thoughtful, hard-working people have gotten involved and think of the security of WP sites holistically, from every angle,” he said.
Mullenweg also clarified what attacks would be stopped by implementing digital signatures to WordPress updates.
“It could stop a man in the middle attack, where someone modifies the update files on the network in between your blog and WordPress.org, or it could stop a situation where the part of .org that serves the update is compromised but the signing part isn’t, and someone decided to send out updates even though they know they’ll be rejected,” he said.
The team is unaware of any WordPress sites that have been attacked this way. While the possibility exists, the extent of the damage would likely be limited. The update servers are monitored around the clock and since many large webhosting companies automatically scan their customer’s sites for malware, the malicious update would likely be discovered quickly.
Mullenweg describes what would happen if an update server was compromised.
“We would turn it off really quickly, notify the world there was an issue, fix the problem, turn it back on, and notify the specific sites or hosts as able,” he said. Although WordPress powers 27.5% of the top 10 million sites tracked by Alexa, it’s highly unlikely that number of sites would be compromised.
He goes on to say that there are easier ways to compromise a WordPress site and listed the biggest issues to WordPress security based on impact.
- Sites not updating core.
- Sites not updating plugins.
- Sites not updating themes.
- Weak passwords, without brute-force protection or two-factor authentication.
- Hosts (professional or ad-hoc) not scanning and fixing sites.
- Hypothetical issues not seen in practice, which distract from the above existing priorities.
Mullenweg confirms that he offered to donate to the audit of sodium_compat a day before Arciszewski published his post. Even if the library passed an audit, the code couldn’t immediately be added to core, “You would also need to do some significant work on the server-side to isolate the signing from the update server, so it’s worthwhile in the first place,” he said.
And if the code were added to core, only the sites that updated to the version that has the cryptographic library and the update checking would be able to take advantage of it. WordPress.org would still need to send updates to older versions that don’t have update checking. These sites would still be vulnerable to receiving a malicious update.
Mullenweg says that digital signatures and update signing will end up in WordPress eventually but it’s not a priority as there are other security issues in front of it, “We are prioritizing those issues above a nice-to-have, defense in-depth effort,” he said.
“A good approach would be to build the server-side first, because doing that properly, say with an HSM, is the difficult and important part; then get the packages signed; then test out verification in a plugin because we don’t want to break auto-updates; and then finally merge into core and set the client to reject non-signed updates. On the client side we need to pick a cryptography library, and get it audited.”
Mullenweg ended his post explaining why he published his response on Medium instead of his personal site. “Seems to be the most popular place for rants like this. I also wanted to try out the famous Medium editor,” he said.
What’s Next For sodium_compat
While the prospects don’t look good for his library being added to WordPress in 2017, Arciszewski says there are plenty of other PHP projects that could benefit from it, “For their sake, I’m still strongly inclined to pursue an independent third-party cryptography audit, and attempt to crowd-fund the cost,” he said.