The PHP team has unanimously voted to integrate the Libsodium library in the PHP core, and by doing so, becoming the first programming language to support a modern cryptography library by default.
The proposal to embed Libsodium (also known as Sodium) into the PHP standard library came from Scott Arciszewski, Chief Development Officer at Paragon Initiative Enterprises, a man that has campaigned for stronger cryptography in PHP CMSes in the past.
The PHP team approved his proposal with a vote of 37 to 0 and decided that Libsodium will be added to the upcoming PHP 7.2 release that will be launched towards the end of 2017. The current PHP version is 7.1.2.
Arciszewski, who is also a leading cryptography expert, explained that his decision to push for Libsodium's inclusion in the PHP core came because of WordPress, a PHP-based CMS, and shared hosting providers, most of which don't allow customers to install custom PHP extensions, mainly due to the hazard these untested or unknown extensions pose to their infrastructure.
In Arciszewski's thinking, adding Libsodium to the PHP core would eliminate the need for shared hosting providers and customers of dealing with security-minded PHP extensions, since basic and secure cryptography would be supported by default in modern PHP versions.
"Shared hosting providers are the culprits here," said Arciszewski. "VPS providers typically (always, in my experience) give you root on your own virtual machine and let you have at it."
Additionally, he says Libsodium would also eliminate the need to convince the WordPress team to improve its security practices since they'd be left with no choice but using the improved cryptography functions already available in PHP.
In an email to Bleeping Computer, Arciszewski presented more arguments why adding the library to the PHP core is so beneficial to the overall state of PHP security.
"Each one of those would, independently, be a modest but somewhat significant win," Arciszewski wrote via email. "I believe security should be for everyone, not just the 1% who can afford to purchase it."
"Marrying the two [PHP and Libsodium] is the most logical and straightforward way to get better security in the hands of [PHP] developers who wouldn't have the time or cryptography experience to build something as secure on their own," Arciszewski also added.
"PHP powers at least 82% of websites on the Internet. Libsodium is the library that most cryptographers recommend for application-layer cryptography," the expert said.
Libsodium already existed and does it right, so that's what I proposed.
- Scott Arciszewski
Libsodium is a portable, cross-compilable, modern, easy-to-use software library for encryption, decryption, signatures, password hashing and more. The library is written in C, just like the PHP source code.
Many companies like Keybase, Digital Ocean, Riseup, Yandex, Wire, and Zcash, already deploy Libsodium with their services.
Arciszewski explains the technical advantages of using the library, and why Libsodium is one of today's most modern cryptography libraries in an article penned last week.
He also explains why PHP is actually "the first" programming language to support a "modern" cryptography library in its core, despite Erlang and Go including similar libraries, which he claims are not as complete and up-to-date as PHP's upcoming Libsodium implementation.
Previously to getting involved with adding Libsodium to PHP, Arciszewski has had his run-ins with the WordPress security team after he lobbied for the addition of a strong CSPRNG (Cryptographically Secure PseudoRandom Number Generator) to WordPress 4.4, and found several flaws in the WordPress update process that would have allowed an attacker to hijack all WordPress sites on the Internet.
Arciszewski was also one of the cryptography experts that signed an open letter to The Guardian this month, urging the paper to retract a story that incorrectly stated that WhatsApp included an encryption backdoor.