The PHP team has unanimously voted to integrate the Libsodium library in the PHP core, and by doing so, becoming the first programming language to support a modern cryptography library by default.
The proposal to embed Libsodium (also known as Sodium) into the PHP standard library came from Scott Arciszewski, Chief Development Officer at Paragon Initiative Enterprises, a man that has campaigned for stronger cryptography in PHP CMSes in the past.
Libsodium integration arriving with PHP 7.2
The PHP team approved his proposal with a vote of 37 to 0 and decided that Libsodium will be added to the upcoming PHP 7.2 release that will be launched towards the end of 2017. The current PHP version is 7.1.2.
Arciszewski, who is also a leading cryptography expert, explained that his decision to push for Libsodium's inclusion in the PHP core came because of WordPress, a PHP-based CMS, and shared hosting providers, most of which don't allow customers to install custom PHP extensions, mainly due to the hazard these untested or unknown extensions pose to their infrastructure.
In Arciszewski's thinking, adding Libsodium to the PHP core would eliminate the need for shared hosting providers and customers of dealing with security-minded PHP extensions, since basic and secure cryptography would be supported by default in modern PHP versions.
"Shared hosting providers are the culprits here," said Arciszewski. "VPS providers typically (always, in my experience) give you root on your own virtual machine and let you have at it."
Additionally, he says Libsodium would also eliminate the need to convince the WordPress team to improve its security practices since they'd be left with no choice but using the improved cryptography functions already available in PHP.
The many reasons why PHP needs Libsodium
In an email to Bleeping Computer, Arciszewski presented more arguments why adding the library to the PHP core is so beneficial to the overall state of PHP security.
1. It tells shared web hosting providers who upgrade their users to PHP 7.2, "You want/need this."
2. It tells operating system developers, "This is essential; make it part of the default install," if they aren't already doing so. (Most aren't.)
3. It allocates space in the PHP manual for the libsodium extension, which means developers will have official documentation to access.
4. It allows PHP 7.2+ to use libsodium features internally. For example, PHP Archives (the Phar extension) can soon have Ed25519 signatures.
5. It allows open source projects developed for PHP 7.2+ to demand libsodium be installed without killing off any potential userbase.
"Each one of those would, independently, be a modest but somewhat significant win," Arciszewski wrote via email. "I believe security should be for everyone, not just the 1% who can afford to purchase it."
"Marrying the two [PHP and Libsodium] is the most logical and straightforward way to get better security in the hands of [PHP] developers who wouldn't have the time or cryptography experience to build something as secure on their own," Arciszewski also added.
"PHP powers at least 82% of websites on the Internet. Libsodium is the library that most cryptographers recommend for application-layer cryptography," the expert said.
Libsodium already existed and does it right, so that's what I proposed.
- Scott Arciszewski
Libsodium is a portable, cross-compilable, modern, easy-to-use software library for encryption, decryption, signatures, password hashing and more. The library is written in C, just like the PHP source code.
Many companies like Keybase, Digital Ocean, Riseup, Yandex, Wire, and Zcash, already deploy Libsodium with their services.
PHP, not Go or Erlang, is the first programming language
Arciszewski explains the technical advantages of using the library, and why Libsodium is one of today's most modern cryptography libraries in an article penned last week.
He also explains why PHP is actually "the first" programming language to support a "modern" cryptography library in its core, despite Erlang and Go including similar libraries, which he claims are not as complete and up-to-date as PHP's upcoming Libsodium implementation.
Previously to getting involved with adding Libsodium to PHP, Arciszewski has had his run-ins with the WordPress security team after he lobbied for the addition of a strong CSPRNG (Cryptographically Secure PseudoRandom Number Generator) to WordPress 4.4, and found several flaws in the WordPress update process that would have allowed an attacker to hijack all WordPress sites on the Internet.
Arciszewski was also one of the cryptography experts that signed an open letter to The Guardian this month, urging the paper to retract a story that incorrectly stated that WhatsApp included an encryption backdoor.
Comments
sergegirard - 7 years ago
PHP is not a programming language, but a scripting language !
Serge
juhudix - 7 years ago
When does a "scripting language" graduate into a programming language?
The basic definition of a computer programming language reads as follows as quoted from wikipedia, which ironically, is written in PHP:
"A programming language is a formal language that specifies a set of instructions that can be used to produce various kinds of output. Programming languages generally consist of instructions for a computer. Programming languages can be used to create programs that implement specific algorithms."
If you have ever seen the inside of a computer science class that's all there is to it - no more, no less..
yuliay - 7 years ago
I know that now the most popular language is Java... Look at that research:
https://www.cleveroad.com/blog/research-of-most-popular-programming-languages-for-2017
AllieKem - 7 years ago
Nice post!
But there are aslo worthwile languages to add https://erminesoft.com/objectivec-vs-swift/
alexblack1 - 7 years ago
Good article!
Read also worthwhile mobile languages https://artjoker.net/blog/best-programming-language-for-mobile-app-development/
robertrex - 6 years ago
Being a part of a web design agency , I recognize that No doubt nowadays Cryptography is on its boom & It is an elevation for the PHP for acquiring this High-tech technology in their domain but one thing will remain a question mark for the programming technologists that is the critical drawback of Cryptography observed by the technologist, due to transfer of complex encrypted, authentic, and digitally signed information can constitute challenges to the legitimate user.
In addition, I think if PHP adopts Cryptography, There will be a possible change in the starting of other war can take place between Asp.net and PHP. Read More: https://www.branex.com/blog/why-choose-php-over-asp-net/ .
rohit12345 - 5 years ago
Nice post, PHP is important for the design and development of any website. PHP is user-friendly and easy to develop any kind of part and it is not time-consuming. by the developing of the website, most of this is using. you nicely describe the information about the PHP language.
http://technobizzar.com/
limratechnosys - 5 years ago
PHP is important for website development. Php even helpful for app development. LImra Technosys is leading mobile app development company in Mumbai, who use multiple languages for developing mobile app & websites.
Develop your mobile app & website today visit- https://www.limratechnosys.com/
JackRichard - 5 years ago
It basically depends upon the requirements. PHP is principally worried to building sites where as Java can be utilized in making sites also manufacture electronic structures.
https://www.nx3corp.com/search-engine-marketing.html
laurenF - 5 years ago
I've been modifying utilizing PHP expertly since 10 years now. After my Computer Engineering degree.Go has numerous extraordinary highlights, obviously, it's not only a mashup language. Go presented go routines, which are a stunning method to handle simultaneous.
https://www.branex.ae/
vervelogicuae - 5 years ago
One of the best technology to adopt.
https://www.vervelogic.ae/
etcsfzc - 5 years ago
PHP is an Free open source scripting language..
https://www.etcsfzc.com
jessicaah - 5 years ago
PHP is the best technology as compared to dot net, as it cost less and also the best programming language among users. My site of Student Life Saviour is partly developed on Wordpress Platform and partly on PHP, as it can be viewed at: https://studentlifesaviour.com/sg
walnut211 - 5 years ago
Nice post. I was checking constantly this blog and I am impressed! Extremely helpful information specially the last part I care for such info a lot. I was seeking this particular information for a very long time. Thank you and good luck
https://www.walnut.in/digital-marketing-agency/
AppsMaven - 5 years ago
Thanks for this valuable content with us.
shaunalan - 4 years ago
It essentially depends upon the requirements. PHP is principally concerned to structure sites where as Java can be utilize in making site also produce electronic structures. https://www.cmolds.com/
jb310702 - 4 years ago
Interesting information. This library is really needed because more and more attention is paid to security. Libsodium includes carefully selected algorithms by security experts. The likelihood of side vulnerabilities in this library is minimal after software testing life cycle https://innovecs.com/blog/software-testing-lifecycle/.
webdevelopment - 4 years ago
nice post.
You can checkout our <a href="https://webdesignerxx.online" title="web development service">Web Development Service</a> service.
hellopixelsdigital - 3 years ago
Top post, PHP Programming language is one of the best for the Web design and Web development of any website. PHP is user-friendly and easy to develop any kind of part and is easy to develop with more features.
https://www.hellopixels.com/website-development/
laurencenorman - 3 years ago
I was checking continually this blog and I am intrigued! Very accommodating data uniquely the last part I care for such information a ton. I was looking for this specific data for seemingly forever.
https://clayive.com/
alisjohn - 2 years ago
something they have previously avoided. Additionally, it would enable PHP and CMS developers to add sophisticated cryptographic capabilities to apps that operate on shared hosting providers, although they were previously unable to do so due to the lack of support for current encryption in PHP extensions. Here are more explanations of the other factors that contributed to his idea. Arciszewski asserts that despite Erlang and Go having similar libraries, which he claims are less potent and current than PHP's planned Libsodium implementation, PHP is actually "the first" programming language to have a "modern" cryptography library in its core.
https://directory99.net/
sitiffanymarsh - 1 year ago
That's an interesting article, thank you! I believe that to hire Python devs can be a strategic move to enhance your PHP-based projects' security and cryptography capabilities. With the approval of Libsodium's inclusion in the PHP core, upcoming PHP 7.2 release will offer robust cryptography support by default. This eliminates the need for shared hosting providers to restrict custom PHP extensions and enhances security for CMS platforms like WordPress. Embrace the power of Libsodium and strengthen your PHP projects with improved cryptography functions