fonte: buli.waw.pl/wordpress-openpgp-emails

Integração do Wordpress com OpenPGP para melhor segurança: um caso de estudo

Resumo

Este artigo foca na possibilidade de trazer funcionalidades selecionadas do OpenPGP para o Wordpress de modo a melhorar a segurança geral do sistema com o uso de criptografia de chave pública. Ele avalia os benefícios e problemas de tal integração O artigo ainda contém uma visão geral sobre a segurança das notificações por email na versão atual do Wordpress. Pode ser-lhe útil se você é um desenvovedor do Worpdress ou um usuário interessado em segurança.

O artigo pressupõe um conhecimento básico sobre criptografia assimétrica e o papel das chaves pública e privada.

A Segurança do Wordpress

O núcleo do WordPress CMS pode conter falhas de segurança, como qualquer outro sistema de computador, porém, uma vez reconhecidas, elas são corrigidas num piscar de olhos e patches são disponibilizados rapidamente para os usuários.

Muito mais problemas de segurança podem vir dos erros do usuário ou da falta de conhecimentos em segurança de computadores. Problemas comuns podem ser detectados e resolvidos com plugins, tais como o iThemes Security. Mesmo depois disso, as senhas podem ser enviadas em texto clado a não ser que você configure a TLS para o servidor. Recomendo que se use HTTPS pelo menos para o painel de administrador, mas isso é outra história.

Depois de você ter configurado todos esses meios de segurança e quiser em seguida minimizar o risco de vazamento de informações potencialmente confidenciais, você pode querer checar alguns métodos criptográficos para proteger seus dados. Entretanto, isso merece atenção e pode realmente melhorar a segurança em algum aspecto?

Onde será que o PGP pode encontrar uso no WordPress?

Infomações encriptadas podem ser usadas para fornecer meios seguros:

Eis alguns cenários onde seja especialmente desejável manter informações confidenciais:

What emails are sent by WordPress?

This section contains a short overview of places where WordPress 4 currently sends emails. Those places were tracked by the usage of wp_mail() function. While I was listing the usages of wp_mail() I focused on the potential security risk connected with each email’s contents.

Use of wp_mail in WordPress 4.0 “Benny”

Mail subject Trigger Recipient Confidential?
New Site Created When site is created in multisite WordPress installation Administrator No. Only contains new site’s URL, name and author which doesn’t seem to pose security risk
%1$s Your site has updated to WordPress %2$s
%1$s WordPress %2$s is available. Please update!
%1$s URGENT: Your site may be down due to a failed update
When core update is available and WordPress has been updated, is ready to update (in case of manual update), or was broken by update. Administrator No. While the knowledge of a software version might make some attacks easier, by default this information is already considered public and can be read from the HTML meta tags.
[%s] Background updates have finished
[%s] There were failures during background updates
Detailed update log sent in development versions of WordPress Administrator Yes/no. Contains details about installed plugins, themes, translations. It is, however, rarely sent in real production sites.
[%s] New Admin Email Address When administrator changes his email address in options, a confirmation email is sent with a link. Administrator No. This does not seem to pose a serious security risk.
[%s] New Email Address When user changes his email address in options, a confirmation email is sent with a link. User No.
New WordPress Site Sent when site is created and configuration is complete. Email contains administrator username and password sent in clear text, although password is only sent when it’s autogenerated (not user-specified). Administrator Yes. might contain password inclear text.
[%s] Delete my site When user requests to delete a site, an email is sent with a link to confirm removal of the site. Administrator Yes/no. Contains a link that may lead to a destructive action.
[%s] Joining confirmation Email containing invitation for user granting him chosen level of privileges. Contains activation link, name of the site and role. Does not contain any login data. User No.
%1$s Activate %2$s In Multisite installations. Contains activation link when user creates a blog. Does not contain any login information. Subsite administrator in Multisite system No.
New Site Registration: %s In Multisite installations. Notifies the network admin that a new site has been activated. Contains new site’s name, URL, IP, link to disable further notifications. Administrator No.
New %1$s Site: %2$s In Multisite installations. After a site is created and activated, this email is sent. Contains username, password (in clear text), link to wp-login, blog url, site name. Subsite administrator in Multisite system Yes. Might contain full login information.
%1$s Comment: “%2$s”
%1$s Pingback: “%2$s”
%1$s Trackback: “%2$s”
Notify an author (and/or others) of a comment/trackback/pingback on a post. Contains the informations that are publicly visible + comment author’s IP address and domain. Author, users, guests No.
%1$s Please moderate: “%2$s” Sent to moderators when new comment, pingback or trackback appears on a site. Moderators No.
[%s] Password Lost/Changed Notification for Administrator when user loses and then resets her or his password. Contains almost no information except username and message itself. Administrator No.
[%s] New User Registration informs administrator about new user registration. Contains user’s name and email. Administrator No.
[%s] Your username and password Username and password sent to user after registration in clear text. User Yes. Might contain full login information.
[%s] Password Reset Email set when user requests password reset. Contains login and link to password reset form. User Yes/no. Does not contain login information, but contains password reset link for user, which might be used to reset password by anyone in its possesion.

As you can see in the table, in my estimation most of the emails does not contain information that could pose a security risk. The exception are emails containing passwords, although they only contain this information for automatically generated password, so the password that may leak this way is limited to the wordpress site. Actually, I think that the best way to deal with this issue would be to stop sending those passwords as they are displayed in registration process anyway and sending passwords is a bad practice.

More interesting information can be generated by plugins. Let’s consider database backups (or links to backups) sent via email, or contact forms plugins with private messages from users. This is something where OpenPGP fits the bill and could definitely find use.

To make it clear, default installation of WordPress does not support PGP in any form.

Plugins for the rescue

In WordPress’ plugin repoistory there are currently three plug-ins related to PGP:

wp2pgpmail

a simple contact form for WordPress with PGP support. Pro version supports more advanced forms – it integrates Gravity Forms plugin.

SimpleSecure

another contact form with PGP support.

PGP Key Generator

a simple PGP key generator implemented on a client side (JavaScript), that allows to generate PGP key pairs of length 1024, 2048 or 4096 bits. Does not have much in common with WordPress, except it’s just a small javascript app that can be easily inserted anywhewre in WordPress using shortcode.

While safe contact forms are worth the attention, they only work in the scope of the plugin-generated content, and do not change the default way email are sent (plain text).

Would it be possible to write a plugin that encrypts all messages with some public PGP key? Yes, thanks to the fact that wp_mail() is a pluggable function. Tim Nash wrote a simple PGP filter for wp_mail plugin that does just that, you can find more in his article.

Plugins might also encrypt some information they generate with the use of javascript client-side library like PGP / GnuPG / OpenPGP Message Encryption in JavaScript or server-side library like Jason Hinkle’s php-pgp.

Another way to encrypt all messages addressed to a certain person would be to extend PHPMailer that is used internally by wp_mail(). This is beyond the plugin architecture, but such PHPMailer extension could be used in other projects as well.

Should WordPress’ core support PGP?

Would WordPress community benefit from introducing PGP support in WordPress’ core? I think that currently such feature could go unnoticed or would be widely misunderstood since public key cryptohraphy is not a popular thing. The amount of potentially confidential information sent from the default WordPress installation is very small and I would not bet that the number of security issues would significantly decrease. In short, the game seems not to be worth the candle as it would require some development in core WordPress, UI, then debugging, supporting and there are areas where this effort could be needed more. Some plugins, however, might try to fulfill this task instead.

Personally however, I find the idea of encrypting notification emails as the new convention in the Internet worth attention. Hundreds of companies and governments crave to collect as much data of the users as possible, and then retain it, backup in the cloud, replicate, analyze, sell etc. Regaining the control over the data that is connected with us, and keeping it away from the big players seems like a reasonable thing to do. For example, when you decide to use Facebook and provide GMail addres for notifications, the copy of all conversations addressed to you will now be available to both companies. Encryption of such notification messages could limit the risk of a data leak, and although WordPress notifications doesn’t contain too much sensitive information, it’s one of the most popular CMS on the Web and might have the power to create such security conventions.

I’m wondering if providing an easy way to implement such feature and giving a good example could not pave the way for the other programmers to get interested in the idea. I already have a prototype of a PHPMailer extension that encrypts emails with a public key if it is available. I’ll probably share it on a GitHub soon. But will this (OpenPGP) technology ever come out of the technical univesities for everyday use by the people, or is it just too complex to undestand and widely implement?