Re: PHP Crypt functions - security audit
On Mon, 2013-09-16 at 11:56 +0100, Alain Williams wrote:
> In the light of the recent scandal of the NSA (& others) attacking encryption
> would it be a good idea to see if we can get an audit of all the security
> related code in PHP ? It would do a bit to help boost confidence in PHP - and
> might even find something (although I hope not).
PHP itself doesn't do much crypto stuff. We rely mostly on libs like
openssl etc. and provide hashing algorithms which follow the
specifications. If the specifications are bad this is a global non-PHP
issue.
> What I am thinking of:
>
> * done by people outside of the usual PHP community.
If you get reviewers to review our code we're happy to receive feedback
on bugs.php.net or [email protected].
> * the final report, and any interim ones, to be published in their entirety.
>
> * done by people who have real clue when it comes to security [count me out :-) ].
The issue is that most people with "real clue" either charge a lot of
money or tend to do more self-promotion than actual help.
> Why ? To improve the public confidence in PHP.
>
> Just in case you have been living under a stone recently:
>
> https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html
Note that most of these things don't refer to PHP directly. i.e.
encryption between user and PHP is usually done by the web server.
Encryption between PHP and databases by database libraries. If
applications built on top of PHP don't do proper end-to-end encryption
it is also no issue of the platform in itself.
johannes
Thread (4 messages)