PHP logo

The PHP team has unanimously voted to integrate the Libsodium library in the PHP core, and by doing so, becoming the first programming language to support a modern cryptography library by default.

The proposal to embed Libsodium (also known as Sodium) into the PHP standard library came from Scott Arciszewski, Chief Development Officer at Paragon Initiative Enterprises, a man that has campaigned for stronger cryptography in PHP CMSes in the past.

Libsodium integration arriving with PHP 7.2

The PHP team approved his proposal with a vote of 37 to 0 and decided that Libsodium will be added to the upcoming PHP 7.2 release that will be launched towards the end of 2017. The current PHP version is 7.1.2.

Arciszewski, who is also a leading cryptography expert, explained that his decision to push for Libsodium's inclusion in the PHP core came because of WordPress, a PHP-based CMS, and shared hosting providers, most of which don't allow customers to install custom PHP extensions, mainly due to the hazard these untested or unknown extensions pose to their infrastructure.

In Arciszewski's thinking, adding Libsodium to the PHP core would eliminate the need for shared hosting providers and customers of dealing with security-minded PHP extensions, since basic and secure cryptography would be supported by default in modern PHP versions.

"Shared hosting providers are the culprits here," said Arciszewski. "VPS providers typically (always, in my experience) give you root on your own virtual machine and let you have at it."

Additionally, he says Libsodium would also eliminate the need to convince the WordPress team to improve its security practices since they'd be left with no choice but using the improved cryptography functions already available in PHP.

The many reasons why PHP needs Libsodium

In an email to Bleeping Computer, Arciszewski presented more arguments why adding the library to the PHP core is so beneficial to the overall state of PHP security.

Adding libsodium to the PHP core does several nice things at once:
1. It tells shared web hosting providers who upgrade their users to PHP 7.2, "You want/need this."
2. It tells operating system developers, "This is essential; make it part of the default install," if they aren't already doing so. (Most aren't.)
3. ​It allocates space in the PHP manual for the libsodium extension, which means developers will have official documentation to access.
4. It allows PHP 7.2+ to use libsodium features internally. For example, PHP Archives (the Phar extension) can soon have Ed25519 signatures.
5. It allows open source projects developed for PHP 7.2+ to demand libsodium be installed without killing off any potential userbase.

"Each one of those would, independently, be a modest but somewhat significant win," Arciszewski wrote via email. "I believe security should be for everyone, not just the 1% who can afford to purchase it."

"Marrying the two [PHP and Libsodium] is the most logical and straightforward way to get better security in the hands of [PHP] developers who wouldn't have the time or cryptography experience to build something as secure on their own," Arciszewski also added.

"PHP powers at least 82% of websites on the Internet. Libsodium is the library that most cryptographers recommend for application-layer cryptography," the expert said.

Libsodium already existed and does it right, so that's what I proposed.
- Scott Arciszewski

Libsodium is a portable, cross-compilable, modern, easy-to-use software library for encryption, decryption, signatures, password hashing and more. The library is written in C, just like the PHP source code.

Many companies like Keybase, Digital Ocean, Riseup, Yandex, Wire, and Zcash, already deploy Libsodium with their services.

PHP, not Go or Erlang, is the first programming language

Arciszewski explains the technical advantages of using the library, and why Libsodium is one of today's most modern cryptography libraries in an article penned last week.

He also explains why PHP is actually "the first" programming language to support a "modern" cryptography library in its core, despite Erlang and Go including similar libraries, which he claims are not as complete and up-to-date as PHP's upcoming Libsodium implementation.

Previously to getting involved with adding Libsodium to PHP, Arciszewski has had his run-ins with the WordPress security team after he lobbied for the addition of a strong CSPRNG (Cryptographically Secure PseudoRandom Number Generator) to WordPress 4.4, and found several flaws in the WordPress update process that would have allowed an attacker to hijack all WordPress sites on the Internet.

Arciszewski was also one of the cryptography experts that signed an open letter to The Guardian this month, urging the paper to retract a story that incorrectly stated that WhatsApp included an encryption backdoor.