3. Full Disclosure: It essentially wins crypto vulnerability bingo! gilfether/phpcr...

Full Disclosure: It essentially wins crypto vulnerability bingo! gilfether/phpcrypt

Typically people who disclose vulnerabilities give the vendor months to fix the issue before they disclose it. sarciszewski didn't even give this guy a day.

When it comes to cryptography, immediate full disclosure is more responsible than maintaining bug secrecy. Even so, I've tread the path of bug secrecy before, and all it results in is inertia. Projects would wait until hours before I publish to fix the problem. Others would sit unnoticed for months; meanwhile peoples' systems remain vulnerable in very obvious ways.

Don't try to frame this conversation as if I owe anyone months or even a day.

I see nothing wrong with this. Everyone has to start somewhere.

Read.

That's fixable

All of the problems I identified are fixable, but at what cost? Who's going to invest the time to volunteer to fix all of this project's problems? And even if you do, the end result will end up being somewhere between phpseclib and defuse/php-encryption -- at which point, why not use those?

Most AES implementations out there are vulnerable to cache timing attacks.

Most software AES implementations, you mean! You can side-step these by using AES-NI-- but to leverage AES-NI from PHP, you need to use OpenSSL. You can't execute raw ASM from PHP (but you can from C).

TLDR I think sarciszewski is, to an extent, doing a good thing by bringing an awareness of common issues to the community at large.

Thank you for saying so.

But he's also being a huge dick about it, being extremely trigger happy to publicly shame any and every project he can.

I previously sat silently for seven months! on another project's vulnerabilities. That's not exactly trigger happy. And the goal is not to publicly shame any and every project [I] can, it's to stop people from deploying insecure cryptography today to prevent disasters tomorrow.

we cheer him on like he's some sort of hero

And this is where I call bullshit. Nobody does this. Even the folks in the PHP community who don't hate me outright are very critical of everything I do.

The next time the developers of these pet projects write a project it's unlikely they'll open source it since the last time they open sourced something it got shammed in every possible forum. Like this project. Sure, maybe a handful of people use it. But just a handful. With 9 stars and 6 forks it just isn't a super popular project. Sure, it has had a few pull requests but only a scant number.

"You are not your project."

sarciszewski - if you're reading this... please just stop.

I'll make you a deal: If the rest of the PHP community agrees to stop writing insecure code, I'll stop publicly disclosing vulnerabilities in it. :]

/r/PHP Thread Parent Link - seclists.org
Previous
Next

Recently removed from /r/PHP

My company wants me to start having some PHP knowledge Longhorn PHP is November 3-5 (Thursday-Saturday) this year. Schedule's out, Early Bird pricing available. Small appreciation post for PHP8 What pragmatic value does PHP provide? Facebook PHP source code from August 2007 PHPStan composer license: MIT or GPL ? Are there apps that will send me an email when PHP errors happen? If so, what are some good ones I should know about? Valid concerns are raised about the JIT What is the perception (and value) of PHP in the marketplace today? Performance issues storing images in MySQL blobs? (high load website) PHP and the secrets of emergent architecture The PHP Desktop project is seeking companies to help make the project great again. Please see the Sponsors and Fundings sections on the project's main page. 5 Benefits of Choosing PHP Programming for Website Development PHP Weekly Discussion (September) TIL that json_decode() returns NULL if the json is malformed.

More Random Comments

If the genders were reversed this would be so huge Why do I feel like it's all an illusion? Denys Davydov new Report Seriously who thinks of that!? Rhodeia of Loch Meet my new oc, Alice! I made her because sometimes I just like to remind myself I CAN make ocs that aren't traumatized and(or) grumpy/sad if I try. The US's largest solar panel maker just got a huge domestic order I realize poorly built pallets are a cliche in this sub but Jesus TJ was a wonderfully hypocritical man (Flags are french and Haiti for those who don't know) I want to talk to different teenagers from different schools. Any suggestions to get started? Jealous but Excited What do 'very experienced' people with multiple active positions actually do? Fuck em’ The Last of Us - 1x08 "When We Are in Need" - Episode Discussion Am I too tall for my winchester 3030?