History of Gossamer
The Phlogiston Era
In the beginning, there was the pipe-shell: Developers would use
to retrieve install scripts and then pipe the output to
sh. This was
deemed reckless by the information security industry, and led to a lot of Twitter
arguments about the Right Way to deliver source code.
Let's Make Security Easy As PIE
On , PIE launched a secure-by-default CMS called CMS Airship that offered secure code delivery for the core CMS as well as third-party dependencies.
Although we continued to innovate in this space, we weren't fully satisfied with solutions that didn't cover the entire PHP ecosystem. So we decided to think bigger.— Scott Arciszewski, October 2019
All For One and One For All
The original design for what would become Gossamer was originally proposed in , which led to the development of a proof-of-concept called HERD (Hash-Ensured Replicated Databases), which was named after the concept of herd immunity in pathology.
By combining the idea of maintaining a local snapshot of the current state of affairs from HERD with the original secure code delivery designs of Airship, we later arrived at a scalable design distinct from either of its predecessors.
Towards Securing the Entire PHP Ecosystem
Ticket #39309 was opened in the WordPress issue tracker on , which outlined the problem and proposed a simple and immediate solution to get WordPress to sign the core updates that are applied automatically.
In October 2017, PIE released Certainty, a utility for keeping CACert.pem files (used for connecting to HTTPS-secured websites with cURL) up-to-date. Part of the verification Certainty employs is powered by Chronicle: an append-only cryptographic ledger based on BLAKE2b.
WordPress Secures Their Automatic Updates
On , WordPress 5.2 was released to the world, which included a mechanism for verifying the Ed25519 signature before applying automatic updates. This effectively improved the security of 33% of the Internet in one fell swoop.
For WordPress users on versions of PHP older than 7.2, sodium_compat provided the cryptographic implementation with no binary dependencies (n.b. if ext/sodium is installed through PECL, sodium_compat defers to the binary implementation written in C for better performance).
While signing core updates is a good way to prevent an attacker capable of compromising the WordPress update servers from getting immediate RCE on the entire WordPress ecosystem, Plugin and Theme updates were still vulnerable.
This presented a catch-22 for the WordPress community:
- Force the WordPress Security Team to sign ALL Updates with their Signing Key
- Increased access to signing key means more risk of leakage
- Doesn't scale to the entire developer community
- Not in the spirit of Free Software
- Use a Public Key Infrastructure for Managing Developer Keys
- Also cumbersome
- Adds the complexity of X.509 and ASN.1 to the WordPress core
- Increases the attack surface for bugs like CVE-2020-0601
- No good story for key/update revocation
In 2021, PIE launched this website to track the multiple ongoing parallel efforts to secure WordPress and Composer with Gossamer.
And that's where we are !