WPTavern: Learn How to Find and Exploit XSS Vulnerabilities with Google’s XSS Game

In 2016, Acunetix, a UK-based security firm, found that 33% of websites and web apps are vulnerable to XSS. This number is down 5% from the company’s findings for the previous year, but it’s still one of the most common vulnerabilities. In fact, every WordPress security release for the past year has included patches for cross-site scripting (XSS) vulnerabilities, including 4.5.2, 4.5.3, 4.6.1, 4.7.1, 4.7.2, and many other previous releases.

Google has created a fun and educational XSS game that teaches new bug hunters how to find and exploit XSS vulnerabilities. Each challenge teaches students how to inject a script to pop up an alert() within the training application. The first few levels are fairly easy and it gets progressively more difficult.

It was designed for developers who work on web apps but do not specialize in security. Google’s goal with the game is to help developers get better at recognizing the vulnerabilities in their own code:

This security game consists of several levels resembling real-world applications which are vulnerable to XSS – your task will be to find the problem and attack the apps, similar to what an evil hacker might do.

XSS bugs are common because they have a nasty habit of popping up wherever a webapp deals with untrusted input. Our motivation is to highlight common coding patterns which lead to XSS to help you spot them in your code.

The intro to the game tempts new recruits to hone their skills with promises to pay mercenaries up to $7,500 for discovering XSS bugs in the Google’s most sensitive products. It gives a nice introduction to common attack vectors for XSS vulnerabilities and congratulates winners with a cake and a link to more in-depth XSS documentation from Google’s collection of application security resources.

The XSS game has been around for a few years and provides a fun way to start your XSS learning if you have a few minutes over the weekend. With the constant stream of security updates for WordPress core, plugins, and themes, it’s good to get a basic understanding of what many of these patches are for. After a little bit of study and practice, you may be able to find XSS vulnerabilities in applications and help make the internet more secure.

Source: planet

Post Status: Running a successful regional agency, with Ben May

Welcome to the Post Status Draft podcast, which you can find on iTunesGoogle PlayStitcher, and via RSS for your favorite podcatcher.

In this episode, Brian interviews Ben May to talk about running The Code Company, a semi-remote agency based in Queensland, Australia. The Code Company works primarily with long term clients and repeat work, and they’ve grown from just Ben to a team of 11 almost entirely by referrals for new customers.

Direct Download


Sponsor: WooCommerce

This episode of the Draft podcast is sponsored by WooCommerce. WooCommerce makes the most widely used eCommerce platform on the web, and has the power and flexibility you need to power your store. For more information on how to run your store with WordPress and WooCommerce, check out their website and thank you to WooCommerce for being a Post Status partner.

Source: planet

WPTavern: FOSSA Raises $2.2M to Automate Open Source License Compliance

Kevin Wang and his team at FOSSA have carved out a niche for themselves in the open source product space with the launch of their license compliance and dependency analysis tool. The company announced a $2.2 million seed round this week after completing a year-long private beta period with Fortune 500 companies. FOSSA continuously scans dependencies and offers reports at each commit to help companies meet the legal obligations of compliance as they are incorporating open source libraries.

The public beta is now free and open to anyone, offering support for up to 5 public/private repos and scanning three levels deep with open source reports. A $499/repo per month commercial option is also available with unlimited scan depth and customizable open source reports.

“It’s mind-boggling that in 2017, software companies don’t really know what’s in their code,” Wang said. “90% of it now comes from third parties like open source (OSS) codebases. Although it sounds trivial, it’s actually really difficult to keep track of what your developers use. Most of this code isn’t explicitly included — instead it’s brought in automatically by complex tool behavior or one of the million ways developers casually share code.”

FOSSA can detect license and policy violations and unlicensed dependencies before an expensive mistake is fully integrated into a project. The real-time feedback forces developers to consider how they are using the libraries they are building into their software.

Competitors like WhiteSource and Black Duck Software, which offer open source risk management tools, detect and display licenses for components and dependencies for applications but seem more focused on bugs and vulnerability reporting. FOSSA is solely focused on OSS license compliance and automating disclosure and attribution.

Compliance is becoming increasingly difficult as developers can easily execute a few commands and import dozens of npm modules that inherit licensing obligations from a myriad of different sources. Even governments and large companies with plenty of resources struggle to keep track of all the open source requirements of the software they are using.

In 2013, Healthcare.gov violated an open source license when it used the DataTables jQuery plugin without the required attribution. Last year, Google was embroiled in a court battle with Oracle over the use of Java in Android.

A tool like FOSSA could have helped Wix catch its violation of the GPL in 2016 when the company used GPL-licensed code from the WordPress mobile app and distributed it in its proprietary app. FOSSA aims to catch licensing issues before they become expensive problems for developers to rework and lawyers to settle.

A few years before beginning work on FOSSA, Wang built tl;drLegal, a site that explains software licenses in plain English. The free resource received backing from the Open Source Initiative and has been used by more than a million developers. Wang said he “sees FOSSA as an attempt to tackle similar problems in a commercial scenario.”

FOSSA will be expanding its pricing options later this year. At the moment, the free beta and the $499/month commercial options leave a gaping hole that excludes smaller organizations. Wang replied to pricing questions on ProductHunt, saying that they are targeting enterprise customers first but plan to introduce more options for small teams and individuals.

Source: planet

WPTavern: Discourse Creates Encouragement Fund to Pay Contributors for Mission Critical Work

Discourse is free, open-source discussion software created by Jeff Atwood in 2013. In addition to celebrating its fourth birthday, the team announced the Discourse Encouragement Fund. The fund allows the development team to pay contributors for critical work.

In the course of a year, Discourse has paid 16 different developers a total of $17,000 to work on tasks. All of their work is open source and two of the contributors joined the team as full-time employees.

Discourse shared its 7-step process for rewarding contributors and the one that sticks out to me is number four: “We choose who, what and when.”

“At first we tried to put tasks ‘up for grabs’, but this method didn’t work too well,” Erlend Sogge Heggen, Community Advocate at Discourse said. “You end up with multiple takers and you have to pick one and let others down.”

“Instead, we approach developers individually, one at a time. Since we’re an open source project we know fairly well who’s capable of what, so we’ll tap our top prospect, present the task and ‘bounty’, and get a yes or no.

“If no, we move on to the next good prospect. If we run out of good prospects for a specific task, we’ll either do it ourselves or put it on hold.”

Heggen says the program has worked well thus far and will continue indefinitely. “As much as we’d like to, we can’t put every one of our contributors on a steady payroll,” he said.

“What we can do is remind them that the work they’re doing is valuable, in every sense of the word, and that there is money to be made from specializing in Discourse.”

The program is funded by customers who purchase hosting plans, “The general idea is that paying customers help improve Discourse, both for themselves, and for the greater open source community at large,” Atwood said.

Introducing money into an open source project can be risky but so far, Discourse has found a way to make it work.

Source: planet

WPTavern: Cloudflare Memory Leak Exposes Private Data

Cloudflare, a content distribution network used by many popular sites, published detailed information about a security vulnerability that leaked user information, some of which was private, including passwords, private messages, etc. The vulnerability was discovered by security researcher Tavis Ormandy, a member of Google’s Project Zero team.

The issue stems from a memory leak in an HTML parser named cf-html that was created to replace an older parser based on Ragel.

“It turned out that the underlying bug that caused the memory leak had been present in our Ragel-based parser for many years but no memory was leaked because of the way the internal NGINX buffers were used,” John Graham-Cumming, Chief Technology Officer at Cloudflare said. “Introducing cf-html subtly changed the buffering which enabled the leakage even though there were no problems in cf-html itself.”

The earliest date information was leaked was September 22nd, 2016 when Automatic HTTP Rewrites were enabled. This was the first of three features introduced that used the parser. The other two are email obfuscation and Server-side Excludes.

The greatest period of impact was between February 13th and February 17th. The leaked information ended up in publicly available cached webpages. Cloudflare worked with major search engine providers to have the cached pages scrubbed before publicly announcing details of the bug.

“With the help of Google, Yahoo, Bing and others, we found 770 unique URIs that had been cached and which contained leaked memory,” Graham-Cumming said. “Those 770 unique URIs covered 161 unique domains. The leaked memory has been purged with the help of the search engines. We also undertook other search expeditions looking for potentially leaked information on sites like Pastebin and did not find anything.”

1Password is Not Affected

Earlier reports indicated that 1Password was among the sites affected. Jeffrey Goldberg, a 1Password employee, assured users that the Cloudflare data leak does not affect 1Password.

“At the moment, we want to assure and remind everyone that we designed 1Password with the expectation that SSL/TLS can fail,” Goldberg said. “Indeed it is for incidents like this that we deliberately made this design.”

“No secrets are transmitted between 1Password clients and 1Password.com when you sign in and use the service. Our sign-in uses SRP, which means that server and client prove their identity to each other without transmitting any secrets. This means that users of 1Password do not need to change their Master Passwords.”

Change Your Passwords

Nick Sweeting has used a number of web scrapers to compile a list of sites that use Cloudflare. The list is available on GitHub and currently contains 4,287,625 domains that are possibly affected. Popular domains in the list include:

  • authy.com
  • coinbase.com
  • digitalocean.com
  • patreon.com
  • bitpay.com
  • news.ycombinator.com
  • producthunt.com
  • medium.com
  • 4chan.org
  • yelp.com
  • okcupid.com

The bug also affects mobile apps as HTTP header data for apps such as Discord, FitBit, and Uber have been discovered in search engine caches. NowSecure published a list that includes 200 iOS apps that use Cloudflare services.

Users are strongly encouraged to change their passwords regardless if a site uses Cloudflare or not. Those who use Cloudflare should generate new API keys and consider forcing a password change to users.

Two factor authentication should be enabled where possible so that the password is not the only credential needed to access an account. Mobile users should log out of mobile applications and log back in to create a new active token. To force all users on a WordPress site to logout and re-login, WPStudio recommends changing the salt keys in wp-config.php.

Although major search engines are actively scrubbing cached pages, the leaks have been occurring for at least four months. There’s no telling who may have already scraped those pages and archived the data. There’s also the possibility that someone discovered the vulnerability before Ormandy and has been parsing cached pages for months. This is why it’s important that at a minimum, you change your passwords.

Source: planet

WPTavern: Disqus Hits Sites with Unwanted Advertising, Plans to Charge Large Publishers a Monthly Fee to Remove Ads

When Disqus announced it would be releasing new, subscription-based versions later this year, users didn’t expect to have the new advertising model injected into their sites without notice. Disqus CEO Daniel Ha said the company would release finalized pricing and provide more details well in advance of its planned March release, but users are reporting that the advertising has already been forced into their comments without warning.

“We are one of the lucky 5% who now has to pay if we don’t want really irrelevant and horribly spammy links just plopped on our site with zero warning,” BabyCenter Social Media Manager Dina Vernon Freeman said. “Unless our users (mainly millennial parents) should care about overpaying for dentures! We’re looking for other platforms ASAP.”

Brian O’Neill, who manages Slugger O’Toole, a site with more than 70,000 readers, was also hit with unwanted advertising on his site.

“Disqus has started to put ads into our comments section of our site without even telling us,” O’Neill said in a post explaining the new ads to the site’s readers. “As you can imagine I am extremely annoyed at this – I hate crappy online ads as much as you do. Supposedly we can remove the ads if we pay them $10 a month, but as yet there is no mechanism on their site to do this.” O’Neill said he is also exploring alternative commenting systems if he is unable to remove the advertising.

Disqus responded to user complaints with a post to clarify that advertising will remain optional for more than 95% of the sites on Disqus.

“Larger, commercial, sites that elect to use the free version of Disqus will be supported by configurable advertising and have the option to earn revenue through the Reveal program,” Disqus Marketing Manager Mario Paganini said. “For small, non-commercial sites, advertising will be optional. These sites will be able to use Disqus’ ads-optional subscription, free of charge.”

Publishers asked in the comments when the option to pay to remove ads will become available, as an option to pay isn’t currently in place.

“Larger sites will be able to run a paid subscription version of Disqus that includes the ability to remove ads along with additional features,” Paganini said. “We are aiming to have this available in the next couple of months. We will be making periodic updates on our blog and talking to publishers in the meantime.”

Disqus is moving to focus on its larger publishers but has already attracted angry criticism from publishers that were not properly informed of the changes. Over the years the company has experimented with different ways of monetizing the commenting platform, often frustrating users in the process of making important changes.

In 2014, Disqus began experimenting with advertising in the form of “Sponsored Comments” that users could not turn off without contacting support. This move drew criticism from WordPress co-founder Matt Mullenweg who essentially called out the ads as little more than comment spam. After a negative reaction from its community, Disqus quietly discontinued the Sponsored Comments and scrubbed the announcement post from the internet.

Disqus Delivers Low-Quality Ads

Disqus has struggled to land on an effective advertising model that will convince users to get on board. Its Reveal advertising program is notorious for serving low-quality ads and has inspired little confidence in users who have tried it. The following is one of the tamer examples:

“I think if you had somewhat decent advertising you might convince people that it’s worth it, but I had to yank it from one of my sites because it was all ‘Ron Paul wants you to buy gold!’ and ’22 times the photos showed too much!’” Paul King, an author who writes for multiple publications, commented on Disqus’ most recent advertising announcement. “Just put in a tier of non-spam advertising that’s actually relevant or charge based on comments or something.”

Twitter is filled with complaints from users who are dissatisfied with the questionable quality of Disqus’ advertising. Many are searching for alternatives.

This recent move to turn on advertising without publishers’ permission is another communication blunder in the same vein as the previous attempt at Sponsored Comments. Disqus has failed to find a communication strategy that respects users’ content while leading the company towards its goals at the same time. With spam-quality ads deploying network-wide, the company can certainly expect that some users will be willing to pay the $10/month to turn them off. Sadly, the experience of paying to turn off offensive ads feels more like getting mugged on your way to work than upgrading your service.

The Disqus Comment System plugin has been hovering around 200,000 active sites for the past two years and its ratings continue to plummet on WordPress.org. Unless Disqus is able to dramatically improve its advertising network before its official March release, we may see a mass exodus to other commenting systems.

Source: planet

WPTavern: How to Check if Installed Plugins Are No Longer in the Plugin Directory

When we wrote about why plugins sometimes disappear from the WordPress plugin directory, it generated a healthy discussion in the comments. One of the topics of discussion brought up is whether or not users should be notified when a plugin disappears and if so, how?

Currently, when a plugin is hidden on the directory, users are not notified. If it’s removed due to a security vulnerability and the author chooses not to fix it or move the plugin somewhere else such as GitHub, users are left in the dark.

Donna Cavalier shared a recent example of why users should be notified. Contact Form DB is a popular plugin that saves contact form submissions from many popular Contact Forms plugins to the database. As of October 30th, 2016, it was actively installed on more than 400K sites.

Approximately one month ago, the plugin was hidden due to a security vulnerability. Instead of releasing a patch, Michael Simpson, creator of Contact Form DB, moved the plugin to GitHub and subsequently released a new version that patched the vulnerability. Simpson says the person on the plugin review team that he spoke with was condescending, unprofessional, and rubbed him the wrong way.

“I’m happy to address any issues and meet any standards, but I’m at the limit of my patience,” Simpson said.

“I try to be a good citizen and give back to the community. I’ve put in countless hours for close to seven years now. When I’m treated like this, it seems WordPress doesn’t value me or my contribution to its community.

“Anyway, I put the code on GitHub and I will continue to support it. But at this point I’m not sure I want to deal with people like this to re-list the plugin on this site. I don’t need the frustration.”

If you use Contact Form DB, please update to 2.10.30 as soon as possible as it contains the aforementioned security fix.

It’s impossible for Contact Form DB users to automatically install updates from GitHub without installing an updater plugin. This leaves thousands of sites at risk.

How to Know When Installed Plugins Are No Longer in the Directory

In the comments of our article, Tavern reader Central Geek shared links to a couple of plugins aimed at providing useful information such as, whether a plugin has been abandoned and better plugin compatibility information.

One of the plugins he mentions is called No Longer in Directory, developed by White Fir Design. The plugin adds a page to the WordPress backend that informs users if any of the plugins that are installed are available in the plugin directory. It also separately lists installed plugins that haven’t been updated in two years or more.

The check is performed using the plugin directory’s folder name. The author notes that this could lead to plugins that have never been in the plugin directory to be flagged if they use the same name as a plugin that was in the directory in the past. If you encounter this situation, you’re encouraged to create a new thread on the plugin’s support forum.

So far, No Longer in Directory is actively installed on more than 1K sites. Out of a total of six reviews, its average rating is 4.8 out of 5 stars. I tested the plugin with WordPress 4.8 alpha and didn’t encounter any issues.

If this is a feature you’d like to see implemented in WordPress, consider voting for it. So far, the idea has 43 votes with a five-star average rating. Mika Epstein, Plugin Directory Representative, responded to the idea four years ago noting that it was being worked on.

As Epstein mentioned in our previous article, explaining WHY a plugin has been closed is complex.

“Obviously the last thing we want are people getting hacked, but it presents us with a few options and they all have flaws,” she said.

“We’ve not been able to determine a way to tell people ‘This plugin is gone, don’t use it’ and ‘This plugin is gone, but use it if you want.’ without putting users at risk.”

If a Plugin Is Permanently Removed From the Directory, Users Should Be Notified

I believe users should be informed if a plugin is permanently removed from the directory. It doesn’t make sense to notify users if it’s temporarily hidden due to violating a guideline or a security issue. Plus, between upgrade and admin notices, users are receiving enough notifications as it is.

I’m unsure if the notification should be an admin notice as we’ve already documented how plugin authors are using them to advertise. Users are increasingly getting annoyed by them and they’re usefulness is in decline.

There’s also the question as to who is responsible for informing users. This responsibility should fall squarely on the plugin author. If I was a plugin author and not interested in someone adopting my plugin and wanted it removed from the directory, I’d do so by pushing out one last update.

I’d explain in the plugin’s description and changelog that support and updates would no longer occur and that users should seek alternatives. I might even suggest a few that come to mind. Then, after about a month, I’d submit a request to the plugin review team to permanently remove it.

This would give users a heads up and plenty of time to seek out an alternative. The Post Template plugin is a good example of this idea in action. Here is the notice it displayed on all of its settings pages before it disappeared.

Since version 4.0.0, the plugin has been released under a commercial license. New features such as addition of custom fields to the templates have been added. Furthermore, this version is discontinued, which means that no further bug fixes, new features and compatibility fixes for new WordPress versions will be implemented. If you want to buy the latest version of Post Template, please visit the plugin web page.

By notifying users ahead of time, the responsibility shifts to the user to find an alternative.

Simpon said he’ll work to get the plugin re-listed but it may take some time as he’s swamped with work. At the time of publishing, the plugin is not available on WordPress.org.

An Unfortunate Situation for Users of Contact Form DB

While users sympathized with Simpson over his decision, I think it’s partly irresponsible. If a plugin has a security vulnerability, patching it and making it available as soon as possible should take precedence over how one feels about a situation.

Instead of putting aside differences and pushing out an update to patch a security vulnerability, Simpson chose to move the plugin and the patched version to GitHub. The decision not to work with the plugin review team has put thousands of sites at risk with no easy way for users to update.

Hopefully, Simpson will work with the team to get a patched version of Contact Form DB back onto the directory as soon as possible. Until then, if you use Contact Form DB, please update to 2.10.30 manually as it patches the security vulnerability.

Source: planet

WPTavern: WPWeekly Episode 263 – Plugins Disappearing, WordCamp Miami, and OSTraining

In this episode, Marcus Couch and I discuss the news making headlines including, WordCamp Miami in its 9th year, OSTraining partnering with GoDaddy to release training videos, and why plugins sometimes disappear from the WordPress plugin directory. We also provide an update on the REST API vulnerability that is actively being exploited to deface webpages.

Stories Discussed:

WordPress REST API Vulnerability Exploits Continue
Google Webmaster Tools Fixes Confusing Messages About Updating WordPress
WordCamp Miami 2017 to Host JavaScript Track, AMA Spots, and 2-Day Kids’ Camp
OSTraining Partners with GoDaddy to Launch Free WordPress Beginner Course on YouTube
Why Plugins Sometimes Disappear From the WordPress Plugin Directory

Plugins Picked By Marcus:

Mobile Featured Image allows users to add a featured image specifically for mobile devices. The new image can be a resized version of your featured image or an entirely new image targeted especially at mobile viewers.

FB Messenger Bot for WooCommerce automatically messages clients from your Facebook page, WooCommerce, or Gravity Forms. The plugin creates a ‘send to Facebook’ button at the end of the WooCommerce Sales process or on the Gravity Forms thank you page.

Restrict New Users by Domain makes it easy to whitelist or blacklist email domains that new users can use when registering. If using the whitelist, only new users who enter an email domain on the whitelist will be allowed to create an account. If using the blacklist, a user who enters an email domain on the blacklist will be unable to register.

WPWeekly Meta:

Next Episode: Wednesday, February 22nd 3:00 P.M. Eastern

Subscribe To WPWeekly Via Itunes: Click here to subscribe

Subscribe To WPWeekly Via RSS: Click here to subscribe

Subscribe To WPWeekly Via Stitcher Radio: Click here to subscribe

Listen To Episode #263:

Source: planet

Post Status: LoopConf in review

LoopConf is a developer centric conference, and LoopConf “2.1” took place in Salt Lake City in early February. This second iteration of the event was a great one, with informative, diverse talks, a laid back atmosphere, and it was very well organized — which is especially impressive considering the challenges that mother nature caused. As an added bonus, you can now watch all the talks for free.

Originally planned for Miami last year, LoopConf was postponed due to a hurricane in southern Florida — hence the “.1” above — and rescheduled closer to organizer Ryan Sullivan’s home in Salt Lake City. Despite the postponement, most attendees were still able to make it, and some folks (like me) could only go to the newly scheduled event.

Salt Lake City was unseasonably warm, making it a pleasant few days, mixed with great food and company. It was also a pleasure to be able to meet more people from local companies, including the newly minted BlueHost and MOJO headquarters downtown.

Post Status was at LoopConf as a media partner, and Brian Richards and I took a lot of pictures, as well as several video interviews.

What to know about LoopConf

In our first video interview, Ryan talked about the origins of LoopConf, and described what he hoped attendees would get out of the event:

I hope to see a future LoopConf 3, and I think the venue and atmosphere worked really well in Salt Lake City.

A small sampling of valuable talks

There were many great talks. I didn’t attend them all, as I was working on other stuff for much of the two days, but the feedback was pretty universally positive, and every talk I did attend, I found valuable.

The competitive landscape for WordPress

The first day kicked off with a great talk by Pantheon co-founder Josh Koenig, who spoke on the competitive landscape for WordPress, including opportunities and risks. It was a really excellent start to the event.

Empathetic communication

I met Sharon Steed prior to her talk, and she spoke about empathetic communication. And due to her own journey as a communicator, going through life with a stutter, it has impacted how she thinks about communication and how she advises her clients.

There were two quotes I loved: “Technology cannot replace the social aspect of face-to-face communication.” And, “Silence kills collaboration.” I think greater empathy in our ecosystem and society in general is pivotal.

Put an “S” on it

I don’t know anyone who knows more about HTTPS than Zack Tollman, who directed the effort to make WIRED’s website fully HTTPS. They learned many lessons, and he shares them in his outstanding talk.

Bootstrapping a WordPress business

The most recent podcast episode featured a video interview and extended audio interview with WP Engine founder and LoopConf keynote speaker Jason Cohen, which I highly recommend you check out. Jason is full of knowledge, and my interview with him pairs well with his keynote talk.

Jason’s talk will certainly get you thinking about whether you should raise your prices, that’s for sure.

Watch them all!

Don’t take my word for which talks to see. I just feature these because I got a lot out of them in the moment. However, in general I found this lineup to be one of the most proficient groups of speakers I’ve seen yet at a WordPress event.

Check out the whole playlist.


Here are pictures from the three days of workshops and talks.

You are welcome to use these pictures however you wish. If you’d like to credit Brian Richards or myself, or Post Status, we’d appreciate it — but it’s not required. Pictures he took show Canon 6D in the meta description, and pictures I took show Canon 70D in the description.

More interviews from LoopConf

I’ll have more interviews from LoopConf over the coming days and weeks. I chatted with several core contributors and developers about specific experiences they’ve had with WordPress. Keep an eye out for those!

A fun, niche event with a lot of value

LoopConf was pretty laid back, and did a lot of things really well.

For one, I’m super jealous of how quickly they got the videos uploaded, and they’ve generously made them available for free for everyone. Also, there were no noticeable event hiccups, and the team was always available to help with whatever attendees may need.

The venue itself was really nice, as you can hopefully see in the pictures, and the whole place was laid out in a way that made both the talks and the hallway track highly accessible. And sponsors were in the center of the whole event, which was great.

I found that the size of the event (I’d guess around 200 people) made it so that conversations were easy to have, and we were able to go in-depth. And because everything from breakfast to dinner to the after party were at the venue, it made everything super convenient.

If and when there’s a LoopConf 3, you should go! I’ve also found this general theme to be true at other niche WordPress events — including A Day of REST (specific to the REST API in WordPress, which you should go to next month!) and PressNomics (a WordPress business event, which you should go to in April!), and even my own Publish event (which may have a second iteration later this year).

To learn more about LoopConf, check out the website. And definitely take advantage of all of those free videos!

Source: planet

WPTavern: Matt Mullenweg Responds to Security Rant: Digital Signatures for WordPress Updates Are Important but Not a Priority

Scott Arciszewski, Chief Development Officer for Paragon Initiative Enterprises, who is most widely known for his cryptography engineering work, published a post on Medium criticizing Matt Mullenweg, co-creator of the WordPress open-source software project, for not caring enough about security. Arciszewski has since retracted the post but you can read it via the Wayback Machine.

Arciszewski is working on a project known as libsodium, a core extension to PHP 7.2 which allows for encryption, decryption, signatures, password hashing and more. Its goal is to enable developers to build higher-level cryptographic tools.

WordPress’ automatic update system is handled through api.wordpress.org. Since updates do not have a digital signature, if api.wordpress.org were compromised, attackers could send malicious updates to thousands or millions of sites. This scenario was at the forefront of people’s minds late last year after Wordfence published details of a complex security vulnerability that could have compromised the update servers.

Arciszewski suggests offline code signing and elliptic curve cryptography as solutions, “The key that can produce a valid signature for a file isn’t stored on the server (only the file itself and a valid signature are), so even if the server gets hacked, attackers can’t just add trojan horse malware to the file,” he said.

OpenSSL is an extension of PHP and is commonly used as public-key cryptography but it only supports RSA which Arciszewski deems inadequate. Since WordPress is written in PHP and supports versions 5.2-7+, Arciszewski needed to create a solution that was as compatible. This inspired him to create sodium_compat that adds Ed25519 signature verification to WordPress’ automatic updater.

Arciszewski submitted a number of patches to WordPress but was told by Dion Hulse, WordPress core developer, that the sodium_compat library could not be merged into core until it passed a security audit by a third-party. Audits can cost a lot of money so Arciszewski’s plan was to see if Automattic could take on some of the cost or crowd-source the funds. However, his project was put on hold after Mullenweg informed Hulse to stop working on the feature as it’s not related to the three core focus areas of the Editor, Customizer, and the REST API.

Arciszewski described the decision as irresponsible and that every user has a reason to be alarmed, “The WordPress team has shown that they are not responsible enough to govern their impressive ownership of the Internet (with the exception of some folks powerless to correct the organization’s course),” he said. “This act of negligence will put the rest of the web in harm’s way.”

Update Signing is Important but Not a Priority

Mullenweg responded to the post on Medium.com with one of his own and reiterated the WordPress development team’s commitment to security.

“Everyone involved takes their responsibility very seriously, and the growth of WordPress has meant many thoughtful, hard-working people have gotten involved and think of the security of WP sites holistically, from every angle,” he said.

Mullenweg also clarified what attacks would be stopped by implementing digital signatures to WordPress updates.

“It could stop a man in the middle attack, where someone modifies the update files on the network in between your blog and WordPress.org, or it could stop a situation where the part of .org that serves the update is compromised but the signing part isn’t, and someone decided to send out updates even though they know they’ll be rejected,” he said.

The team is unaware of any WordPress sites that have been attacked this way. While the possibility exists, the extent of the damage would likely be limited. The update servers are monitored around the clock and since many large webhosting companies automatically scan their customer’s sites for malware, the malicious update would likely be discovered quickly.

Mullenweg describes what would happen if an update server was compromised.

“We would turn it off really quickly, notify the world there was an issue, fix the problem, turn it back on, and notify the specific sites or hosts as able,” he said. Although WordPress powers 27.5% of the top 10 million sites tracked by Alexa, it’s highly unlikely that number of sites would be compromised.

He goes on to say that there are easier ways to compromise a WordPress site and listed the biggest issues to WordPress security based on impact.

  1. Sites not updating core.
  2. Sites not updating plugins.
  3. Sites not updating themes.
  4. Weak passwords, without brute-force protection or two-factor authentication.
  5. Hosts (professional or ad-hoc) not scanning and fixing sites.
  6. Hypothetical issues not seen in practice, which distract from the above existing priorities.

Mullenweg confirms that he offered to donate to the audit of sodium_compat a day before Arciszewski published his post. Even if the library passed an audit, the code couldn’t immediately be added to core, “You would also need to do some significant work on the server-side to isolate the signing from the update server, so it’s worthwhile in the first place,” he said.

And if the code were added to core, only the sites that updated to the version that has the cryptographic library and the update checking would be able to take advantage of it. WordPress.org would still need to send updates to older versions that don’t have update checking. These sites would still be vulnerable to receiving a malicious update.

Mullenweg says that digital signatures and update signing will end up in WordPress eventually but it’s not a priority as there are other security issues in front of it, “We are prioritizing those issues above a nice-to-have, defense in-depth effort,” he said.

“A good approach would be to build the server-side first, because doing that properly, say with an HSM, is the difficult and important part; then get the packages signed; then test out verification in a plugin because we don’t want to break auto-updates; and then finally merge into core and set the client to reject non-signed updates. On the client side we need to pick a cryptography library, and get it audited.”

Mullenweg ended his post explaining why he published his response on Medium instead of his personal site. “Seems to be the most popular place for rants like this. I also wanted to try out the famous Medium editor,” he said.

What’s Next For sodium_compat

While the prospects don’t look good for his library being added to WordPress in 2017, Arciszewski says there are plenty of other PHP projects that could benefit from it, “For their sake, I’m still strongly inclined to pursue an independent third-party cryptography audit, and attempt to crowd-fund the cost,” he said.

Source: planet