On Tue, Jun 23, 2015 at 11:18 AM, Ryan Mauger <[email protected]> wrote:
> The use of md5 in 2015 is honestly a bad idea imo, given that people > everywhere are pushing for people to stop using md5 in any security related > context, and that since 2006 its been possible to generate collisions on the > algorithm in minutes on only a notebook computer, it really should be > consigned to the history books. Which is why its there. Can you imagine the amount of systems that use it? > The sha256, while better, still is not fantastic, considering that the > php.net site appears to also be running from those mirrors (I was on the > php.net domain, and not a subdomain of it when I got the certificate error), > which would make it possible for a mirror which has been compromised to also > change the apparent checksum to simply match the one they are distributing. You were not on plain "php.net" no, you were on www.php.net -- we support https on "php.net", not "www.php.net". We'll add secure.php.net soon. Keep in mind your beef with md5 and sha256 -- these seem to be industry practice you have issue with. FreeBSD an many linux flavors list those, while I can only find md5 for Ubuntu o.O > The GPG signing, is indeed the correct method to use, I have no bones with > that, I would however be surprised if you looked in your logs and found > anything close to a 1:1 ratio of downloads of the sources to downloads of > the signature. or any ratio which would suggest it was a common practice, so > https in some part, would at least protect anyone using automated tools from > man-in-the-middle. Incorrectly feeling secure on false pretenses is the worst thing that can happen. If we pretended everything is hardcore security scrutinized even fewer would be aware of what security is and wouldn't bother verifying the facts for themselves. As it is now, we provide you with the means to verify it yourself. Trust noone. Verify. Authenticate. Downloading from https just because its https does literally nothing for your security. It is effectively less so. It makes you less conscious of what is going on and more gullibly thinking everything is fine, when it isn't. > The lack of any documentation of how to actually verify the GPG signature > also now occurs to me as being missing, and it would be great to see that > added to the docs on at least the downloads page, if not also the pages > concerned with compiling PHP. +1 I think thats a great idea! > Move the mirrors into their own domain (phpmirrors.org?) or subdomain > (mirrors.php.net) preferably not actually on the php.net domain, as then a > compromise of the keys for the mirrors domain does not automatically extend > to php.net This seems to defeat what we are trying to do; reduce the hops it takes you to reach the destination; use local bandwidth for the environment and faster speed for the users. Having only one server serving the website doesn't work out. > Talk to services such as Cloudflare, they may be open to supporting PHP with > some sponsorship? I trust them less then our maintainers. Why do you think giving them our private keys is better? They could already be in bed with surveillance agencies. We did look into their "keyless SSL", and still are. It does not look like all needed components are Open Source though :( > Give each of the mirrors their own certificate when letsencrypt becomes a > reality later this year (assuming they get the OS / Browser support across > the board) > Consider pooling mirrors into groups, using multiple certificates, and > sharing one set of keys across smaller sets of mirrors at once, so not all > mirrors and php.net itself share the same keys Do you know how to do that? To my knowledge it is not possible, its not how certificates work. I'd be very interested in seeing how this would work. Best we could do at the moment is to create secure.php.net with 3 or 4 trusted servers under our control (which we don't have), Europe, North America and Asia would be nice start, and geo enable it. It still screws over the part of the world where bandwidth is extremely expensive, and doesn't help us reaching the goals previously mentioned :( -Hannes -- PHP Webmaster List Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
