26 Comments

  1. Josh

    How is a security issue “important” but not a high priority for development? Erm…what?

    Report

    • Joel James

      Same question here.

      Report

    • David Artiss

      Because, as Matts response states, there are a lot of more important security issues that could be tackled first. Update signing would be a big change to implement yet, right now, it offers only a minor benefit in terms of security.

      Report

      • mark k.

        and working on one obviously prevents from working on others?

        wordpress.org was since inception of the update mechanism a weak security point. It is actually amassing that as far as we know it wasn’t abused in any major way, but the weakness was known forever. All other software distribution shop verify that whatever is being installed was properly signed, and this was done by the likes of microsoft from before wordpress.org distribution had started, so it is by no means a new idea that the wordpress world suddenly gets to be aware of.

        But you are right that there are more important low hanging fruit that might be worth handling first, like stopping user enumeration, preventing brute force attacks, disable external “posts” via comments, pingbacks, xml-rpc, rest api, and hardening the default htaccess. But wait actually no one works on any of those things, so what exactly is higher priority?

        No one that has been around wordpress for long enough time has any illusion about what is the highest priority of core – market share. Anything else is handled just in the minimal amount of effort that is required for the market share campaign to proceed.

        Core in general do not care about security, or software quality (two things that go together many times), and this is the reality everybody that works and uses wordpress accepts, which is why security related plugins are among the most downloaded ones. If core was secure no one would have needed them.

        Report

  2. pedro

    Security should always a be a core focus area! This isn’t a minor thing.

    Linux distributions have been doing this for ages, and I can remember when a distro or two got caught sending infected updates.

    Report

    • fwolf

      The most recent one would have been Linux Mint. And they were properly smacked over the ear for still using md5 instead of at least sha256 crcs.

      cu, w0lf.

      Report

  3. Pedro M.

    Matt is the main reason why the company I work for is moving away from WordPress.

    Multiple bad decisions and a lot of #wpdrama doesn’t give us the confidence we need on this project.

    We are now adopting Drupal on new projects and in the summer we will build our own CMS based on Laravel.

    Report

  4. Ted

    The problem with Matt M’s list of higher priorities is that they are all about user stupidity or host company stupidity. Fine. Granted. But a little bit of misdirection if the question is what can .org do to make itself more secure.

    Report

  5. willc

    I don’t agree with Mullenweg on this. He clearly doesn’t understand the concept of “defense in depth,” that he alludes to in his response. By focusing only on the low-hanging security fruits, you make the biggest one the most appealing target.

    To add to that, I find it laughable that Mullenweg suggests the risk is mitigated by web hosts that scan your website for malware. This may be true for a percentage of people who can afford managed WP hosting, but even then, what makes him think that someone sophisticated enough to compromise the WP update servers is going to be sloppy and sling out easily detected malware?

    Report

  6. Christopher A

    I kind of get where Matt is coming from but the most worrying part of his statement is “…best estimate based on hypotheticals is in the tens of thousands.”

    So the mitigation strategy is: the first 50,000 sites or so to get hit are basically collateral damage and we’ll stop the bleeding there. How is that acceptable? There should be zero sites at risk. I get that tens of thousands is a trivial number when dealing with hundreds of millions but these are real people and businesses, not just numbers.

    How is this suppose to be comforting to anyone?

    Report

  7. Justin Nguyen

    Personally I think the issue is potential and hasn’t happened yet. While preventing is great, Matt’s respond seems reasonable.

    Report

  8. David Coveney

    With the public key you can use code-signing to verify that your code hasn’t been tampered with. That’s the whole point. It’s not about man-in-the-middle, it’s about ongoing integrity. If someone gets into a server, if you have signed code, you can easily tell if that code has been changed without going back to the server. Because you have the public key.

    So you could download code on Monday and the source server could be hacked on Tuesday. If you check against the source server you’re vulnerable. If you check the signature only, you’re not.

    I think Matt has wilfully dodged that whole point of it, though it’s fair that the original argument didn’t specifically prime people on the whole purpose of code signing either.

    Report

  9. Louis Reingold

    It’s easy to say that something should be done when someone else is the one that has to do the work.

    Report

  10. Malik Farooq

    I disagree with Mullenweg for many reasons, first of all, he only focused on low type of security steps, secondly, he said the main risk to the hosting companies that scan your website to check for any malware issues.

    Report

  11. amgine

    Users and hosts can be stupid, and nothing .org does can change that.

    That takes care of 5 of the 6 priorities listed by Mullenweg.

    The 6th is “people can always come up with hypotheticals and waste your time.” True. They can also save your nuggets from the fire. Which is it this time?

    Report

  12. gorwinnie

    The human factor is always a key issue in security. Always has been and always will be. Mullenweg is completely delusional if he thinks that users not updating their sites routinely and not using expensive hosting is a justifiable excuse to deprioritize security within WP core. That’s just downright irresponsible. I would much rather have a secure product than one with a fancy customizer and an API I’ll likely never use. I am getting so tired of constantly worrying about WP security.

    Report

  13. Tomas M.

    The update servers are monitored around the clock and since many large webhosting companies automatically scan their customer’s sites for malware, the malicious update would likely be discovered quickly.

    As we all know, Yahoo and countless other companies were also “monitoring their servers around the clock”. If you face smart hackers, it may take years to notice the hack and then to fix the damage.

    It is also real possibility that WP staff could be infiltrated, so you would not deal with man in the middle, but with the man inside. As someone said – the fruit is big, so the stakes are high.

    Report

  14. Nico

    Discrediting the detailed post packed with valid points as “rant” in the title is crappy journalism. Obviously biased towards Mullenweg who owns this site. The fact that he deleted that post does not make it a rant. Yes the #mullware heading sounds like it, the posts text did not! And its correctly called a “post” just right below the heading.

    I have seen a former wp core contributer call out Nacin or WP core for security flaws before and his points where stunning and showed how far core got away from understanding/caring about the basic every day user.

    I think its always very annoying when people with massive power consider security low priority. And calling this “Important but not a priority” is exactly that.

    So you can imagine my shock yesterday when Dion Hulse informed me that Matt Mullenweg, CEO of Automattic and lead WordPress developer, ordered him to not do any work on package signing, because it wasn’t one of Matt’s goals for 2017 (which consists entirely of: Customizer, Editor, and REST API).

    Mullenweg stubbornly stays by this goals as if they are written in stone. Probably because he has some kind of philosophy that this is the way to go. He is not willing to change the goals for security. Thats just the wrong decision. And it may very well be that not updating or even using certain themes/plugins are way riskier but he cant do anything about it so listing all the stuff that is riskier does not make a great point for not doing code signing.

    I get that this would not immediately benefit anyone but as someone who run my own VPS I would for sure make sure to do any steps needed on server side that seem to be needed if I get this correctly.

    What about a 3rd party solution, what if the wp releases would be signed with PGP (I am just guessing that they don’t) and one would just use some script that runs every few hour, check for a new version, if any, download, check, install or delete+alarm.

    I don’t know why he deleted that post, he should just change the title, and funny enough thats also true for this very article ;)

    Note to self: Probably do some PGP signing yourself first, then criticize. Well I don’ effect 27% of the Internet so there is a excuse ^^

    Report

  15. David Bowman

    Lets stop this fantasy that WordPress is secure. Even the updates need updates. Recently we were denied the knowledge of a flaw until weeks after it was patched. Try putting a new WordPress install into the wild, without any third party prophylactics, and see how venerable it really is. It’s not a case of when you are going to get hacked ,it how many times. What a about a quality tested mark for plugins or info on what security tests are done on the plugins in the directory. Relying on last update date isn’t enough. This and the Google HTTPS tax have made us abandon WordPress and go back to html. What about a slimmed down core secure version of the install. #wpbloat

    Report

  16. Alex Sirota

    I wrote a blog past a few years back comparing WordPress to Windows XP. It’s a widely used piece of software, important to millions of people. Windows XP gets hacked as soon as you put it online. So does WordPress, especially out of the box.

    But I have to say prioritizing code signing when there are so many other obvious places to improve security doesn’t make sense.

    The low hanging fruit are there and have been mentioned in this thread to harden default WordPress installs. The chances of the current hacks we already know about happening are MUCH higher than the chances of a person in the middle or person inside WordPress infecting core distributions.

    Also how many of you actually sign your emails with PGP on a fairly regular basis? I dare any of you to live with signing PGP and signing attachments with your email client more than a few times a day. Once you see how badly PGP is implemented from a user perspective, you’ll realize that just having a signing library for code is not enough– there’s a lot of work to be done to make the experience seamless.

    I think that’s what Matt cares about (and many others) — making the update experience as seamless as possible while keeping security top notch.

    I also think that it this is a responsability of many more than the core WordPress dev group. Hosting providers, end users and many others also should bear the burden of managing their WordPress installations. I know many developers who don’t even think of the default security stance WordPress takes and just ‘set it and forget it’.

    We probably need a WordPress Pearl Harbor to happen before anyone takes real notice. Until then, harden and secure your sites and choose hosts that take security seriously (ie choose Managed WordPress hosts).

    Report

    • David Bowman

      Who died and made WordPress God? How long before WordPress wakes up and smells the coffee. The security and HTTPS blocks will make people think of alternatives, even social media hosting. Yes the supply chain has other holes, but blaming them is a smoke screen. Time for a subscription fee for a secure PRO version or a cut down core version with less risks.Time to take better care of golden goose.

      Report

  17. Alex Sirota

    And now this. SHA-1 has been smashed.

    Report

Comments are closed.

%d bloggers like this: