Tellyworth 1:14 am on August 16, 2019

SSL for auto updates

r44954 introduced experimental package signature verification for pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party and theme updates. That and subsequent commits from #39309 have proved useful in testing and experimenting with the use of cryptographic signatures for update verification. That work has progressed to a point where it has become clear that there are many complicated and difficult problems to solve in order for signatures to be used securely in practice, and that solving those problems requires cryptographic expertise that we don’t have enough of.

Based on the discussion in that ticketticket Created for both bug reports and feature development on the bug tracker., there are essentially two possible ways to implement the key management infrastructure needed to use signatures in production:

Build a certificate structure something like X.509, and implement secure APIs to allow for key revocation and rotation.
Use something like Gossamer for distributed key management.

Since both of these options are long-term projects that require very careful design and testing, we need a short-term plan for improving the security of auto-updates while those more ambitious ideas are explored.

It appears that the sensible short-term solution is to shelve signatures for the moment and instead use checksum hashes delivered over HTTPSHTTPS HTTPS is an acronym for Hyper Text Transfer Protocol Secure. HTTPS is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted. This is especially helpful for protecting sensitive data like banking information.. By strictly enforcing SSLSSL Secure Sockets Layer. Provides a secure means of sending data over the internet. Used for authenticated and private actions. certificate checks, we can offer package integrity checks that are more secure than the status quo, and take advantage of SSL’s certificate infrastructure for authentication. That will allow us to move forward with auto-updates now, and continue to research and develop robust signature protocols for future release.

I propose we do the following for 5.3:

Review the suitability of hashes provided by the coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. update APIs.
Improve the core update code so as to always use SSL with certificate checking (on systems with functioning SSL).
Implement compatibility checks and fallback options for systems without functioning SSL (perhaps requiring human intervention to manually verify updates).
Implement end-to-end tests for update code, including SSL fallback, and tests for the update APIs and checksums.
Review handling of edge cases and exceptions such as rollbacks.

To clarify: in this context, SSL refers specifically to using a secure connection to api.wordpress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/. It would not require SSL certificates to be installed on a WordPress site. Certificates would be used to verify the authenticity of wordpress.org itself.

Later versions of WordPress can make this obsolete by incorporating a well-tested system for signature verification once it is ready for production.

Enabling strict SSL for updates is a necessary step towards safely providing auto-updates. With this in place we eliminate the main technical blockerblocker A bug which is so severe that it blocks a release. to two of the 9 Projects for 2019.

Joy 1:31 am on August 16, 2019

All of that would be in coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress.? Or any changes on the APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways. side would be in a different endpoint? Trying to see how it would affect older versions of WP connecting to the API.
- Tellyworth 1:43 am on August 16, 2019
  
  Pretty much all in coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress., yes. There may be some minor changes on the APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways. side if for example there is a decision to change the type or format of hashes, but that would be done in a way that preserves backwards compatibility.
  - blumenberg 8:45 am on August 16, 2019
    
    With enabling strict SSLSSL Secure Sockets Layer. Provides a secure means of sending data over the internet. Used for authenticated and private actions., you would exclude WP users w/o the possibility to use SSL certificates. That would be the end of using WP after 10+ years.
    - John Blackbourn 9:32 am on August 16, 2019
      
      Please read the post in full. There are considerations for fallback behaviour for servers that don’t support SSLSSL Secure Sockets Layer. Provides a secure means of sending data over the internet. Used for authenticated and private actions..
      - blumenberg 10:47 am on August 16, 2019
        
        I read the article in full, maybe I did’t understood the following sentence,
        
        requiring human intervention to manually verify updates
        
        … but this sounds like doing updates manually … and this frightened me.
        
        secretvrdev 3:11 pm on August 16, 2019
        
        I had to make an account. Extra for you!
        
        Please. Please dont do auto updates without any security. Please get used to ssl. If you are gonna make your pages without ssl and an auto update you are gonna be responsible for all the spam in the web.
    - paragoninitiativeenterprises 10:59 am on August 16, 2019
      
      What exactly prevents you from using SSLSSL Secure Sockets Layer. Provides a secure means of sending data over the internet. Used for authenticated and private actions.?
      - blumenberg 4:38 pm on August 16, 2019
        
        My hoster prevents me from using SSLSSL Secure Sockets Layer. Provides a secure means of sending data over the internet. Used for authenticated and private actions., well, exactly from using Let’s Encrypt certificates — I could use SSL certificates he provides/supports, but that are only paid ones, and the WP installations I have are more than 10; if I do the math, it’s going to be around more than € 30 a month for the SSL certificates. That’s what’s preventing me from using SSL.
        
        paragoninitiativeenterprises 4:44 pm on August 16, 2019
        
        You’re totally misunderstanding.
        
        SSLSSL Secure Sockets Layer. Provides a secure means of sending data over the internet. Used for authenticated and private actions. between Firefox/Chrome and YourBlog.com, versus SSL between YourBlog.com and api.wordpress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/.
        
        We’re talking about column B, not column A.
        
        blumenberg 9:35 pm on August 16, 2019
        
        Thanks for the clarification — but sadly I don’t understand your example. Right now my sites don’t use httpsHTTPS HTTPS is an acronym for Hyper Text Transfer Protocol Secure. HTTPS is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted. This is especially helpful for protecting sensitive data like banking information. b/c I can’t afford to buy the SSLSSL Secure Sockets Layer. Provides a secure means of sending data over the internet. Used for authenticated and private actions. certificates. If (future) WordPress requirements incl. SSL (https) for e.g. the update function/process, I will have a problem. If that’s a misunderstanding from my side I’m sorry.
        
        Aaron Jorbin 10:05 pm on August 16, 2019
        
        1) With https://letsencrypt.org there is no longer a cost to having a certificate. Your host will need to support it or support uploading your own certificates, but the cost to obtain a certificate is now zero.
        
        2) To clarify the discussion a bit, this isn’t about how you access your site, it’s about how your server accesses the WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ servers. Your site doesn’t need a certificate for this, it needs to be properly configured.
        
        blumenberg 10:42 pm on August 16, 2019
        
        Thanks. Now I think I understand the differences.
        
        Just for (1): like I wrote before, my hoster does not support Lets Encrypt certificates and said a month ago that they don’t plan to do so in the foreseeable future. 1 SSLSSL Secure Sockets Layer. Provides a secure means of sending data over the internet. Used for authenticated and private actions. certificate = € 2,99/month and 1 wildcard SSL certificate = 14,99/month. If I had only a handful domains I would move to a better/different hoster w/o hesitating … but 90 domains is a different thing.
        
        paragoninitiativeenterprises 3:35 am on August 17, 2019
        
        Your host’s certificate support is, frankly, irrelevant.
        
        However, you should feel free to name and shame them for being an obstacle to Internet Security.
        
        paragoninitiativeenterprises 10:37 pm on August 16, 2019
        
        Right now my sites don’t use httpsHTTPS HTTPS is an acronym for Hyper Text Transfer Protocol Secure. HTTPS is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted. This is especially helpful for protecting sensitive data like banking information. b/c I can’t afford to buy the SSLSSL Secure Sockets Layer. Provides a secure means of sending data over the internet. Used for authenticated and private actions. certificates. I
        
        Consider the following.
        
        Browser WordPress blogblog (versus network, site) Update Server
        
        Your inability to afford TLS certificates affects the link labelled “A”. The entire topic at hand is solely concentrated in link “B”, and has zero to do with link “A”.
        
        The concept of HTTPS is used in both places, but the link B concerns are orthogonal to whether or not you use HTTPS on link A. (Which you should.)
        
        paragoninitiativeenterprises 10:37 pm on August 16, 2019
        
        Browser <–A–> WordPress blogblog (versus network, site) <–B–> Update Server
John Blackbourn 9:36 am on August 16, 2019

What are the stats for the percentage of servers connecting to the update APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways. that support server-side SSLSSL Secure Sockets Layer. Provides a secure means of sending data over the internet. Used for authenticated and private actions. and can perform correct certificate checking, versus those that can’t?
paragoninitiativeenterprises 10:53 am on August 16, 2019

Point of order: I would highly recommend keeping the signatures in place for coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. updates. It’s the updates for plugins and themes that need to come later, and forcing HTTPSHTTPS HTTPS is an acronym for Hyper Text Transfer Protocol Secure. HTTPS is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted. This is especially helpful for protecting sensitive data like banking information. (which is HTTPHTTP HTTP is an acronym for Hyper Text Transfer Protocol. HTTP is the underlying protocol used by the World Wide Web and this protocol defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. over TLS, not SSLSSL Secure Sockets Layer. Provides a secure means of sending data over the internet. Used for authenticated and private actions.) is a good move.
Roy Randolph 4:43 pm on August 16, 2019

Question – What will specifically be check regarding SSL? Will, it simply be the site is operating via https:// or qualifying SSL Certificate with the domain? (like a domain verification when a SSL Certificate is issued).

The reason I say this if sites are operating behind a WAF (Web Application Firewall) like Cloudflare for instance (in most cases) the domains SSL will be from Cloudflares edge servers, not the source server. There has been some ongoing issues when running Cloudflare under FULL STRICT SSL (meaning SSL must be a valid SSL) instead of Full ( a valid SSL but the Certificate could have expired or be a self-signed SSL Certificate) and on servers like cPanel and the auto SSL function.

If the process is just confirming the WordPress install is on https that sounds it shouldn’t be a problem. Otherwise could be issued.
- paragoninitiativeenterprises 4:48 pm on August 16, 2019
  
  This has nothing to do with your frontend site using SSLSSL Secure Sockets Layer. Provides a secure means of sending data over the internet. Used for authenticated and private actions./TLS or not. (Point of order: Nobody should use SSL anymore, it’s TLS these days.)
  
  Consider the following:
  
  Browser <–A–> WordPress blogblog (versus network, site) <–B–> Update Server
  
  You’re focusing on the first connection (A), but this post is talking about auto-updates, which solely exists in the second connection (B). It’s totally irrelevant to the first one.
pingram 2:50 pm on August 29, 2019

I’m a tad confused. I already thought this was implemented in coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress..

I recently wrote a sniffer pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party to capture all httpHTTP HTTP is an acronym for Hyper Text Transfer Protocol. HTTP is the underlying protocol used by the World Wide Web and this protocol defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. requests reaching out to api.wordpress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ and can clearly see in each and every request an [sslverify] key w/ a value of 1 and [sslcertificate] key in which a certificate is located at /wp-includes/certificates/ca-bundle.crt.

Is this not related?

Comments are closed.

Welcome!

Communication

SSL for auto updates

Welcome!

Communication

Share this: