On Mon, 2013-09-16 at 11:56 +0100, Alain Williams wrote: > In the light of the recent scandal of the NSA (& others) attacking encryption > would it be a good idea to see if we can get an audit of all the security > related code in PHP ? It would do a bit to help boost confidence in PHP - and > might even find something (although I hope not).
PHP itself doesn't do much crypto stuff. We rely mostly on libs like openssl etc. and provide hashing algorithms which follow the specifications. If the specifications are bad this is a global non-PHP issue. > What I am thinking of: > > * done by people outside of the usual PHP community. If you get reviewers to review our code we're happy to receive feedback on bugs.php.net or secur...@php.net. > * the final report, and any interim ones, to be published in their entirety. > > * done by people who have real clue when it comes to security [count me out > :-) ]. The issue is that most people with "real clue" either charge a lot of money or tend to do more self-promotion than actual help. > Why ? To improve the public confidence in PHP. > > Just in case you have been living under a stone recently: > > https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html Note that most of these things don't refer to PHP directly. i.e. encryption between user and PHP is usually done by the web server. Encryption between PHP and databases by database libraries. If applications built on top of PHP don't do proper end-to-end encryption it is also no issue of the platform in itself. johannes -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
