Simple, secure cryptography lands in PHP 7.2
Some excerpts of the most important points:
The goals were as follows:
Get the sodium extension into the PHP core in version 7.2.
Write a pure-PHP polyfill that supports all the way back to PHP 5.
I'm happy to report that, halfway through 2017, both efforts have been successful.
The pull request was merged yesterday, thereby cementing Sodium's status as a core extension to the next version of the PHP programming language. This means several huge, practical wins for developers:
Simple and secure public key cryptography is baked in, using Diffie-Hellman and digital signatures over Curve25519.
- The old standby, OpenSSL, had public key cryptography interfaces that were vulnerable to a 1998 vulnerability by default, that not even Zend used correctly the first time around.
Interoperability with other protocols that use NaCl or libsodium. (e.g. Noise)
The ability to wipe memory buffers for the first time since PHP's inception.
Encryption algorithms that are not vulnerable to side-channels in the absence of special hardware.
Authenticated encryption, almost exclusively.
I wrote a libsodium quick reference guide last month to demonstrate how the new PHP extension should be used to solve common problems.
PHP 7.2 is scheduled to be released on 2017-11-30 (November 30, 2017).
The other part of the equation was to build a pure-PHP implementation of the cryptography offers. We tagged the first version
1.xrelease of paragonie/sodium_compat last month, and are currently focusing on making sure we're forward compatible with PHP 7.2 and supporting 32-bit operating systems (which was missed during our beta testing because most of the world has moved onto 64-bit hardware).
We've proposed the start of a plan to make Composer, the package manager used by the PHP community, use Chronicle and libsodium to offer secure code delivery by streaming software release metadata into a dedicated Chronicle instance.
My personal dislike of PHP aside, this is a pretty important step in increasing internet-wide security, especially in widely deployed off-the-shelf PHP software.
The article also contains some advice on how to contribute and help support widespread deployment of the new cryptography API. It's definitely worth a read if you spend any amount of time developing PHP or writing articles/tutorials about it.