End to end encryption for WordPress
Skip to: Installation
The leaking of information by Edward Snowden has helped increased awareness of privacy, but unfortunately most people do not know how to securely store their own data. I have seen people storing extremely sensitive data within WordPress installations and assuming everything is fine since they used a “private page” or placed a password on it. But even though WordPress provides private and password protected pages, these still leave your data open to spying at both the server level and whilst in transit. Even if your server is locked down and secure, and you route the data over https, a man in the middle attack could still be used to gain access to your data.
The only true solution to securing your data within WordPress, is through the use of end to end encryption. The End to end encryption plugin for WordPress is my attempt to help alleviate this problem within the WordPress sphere and perhaps increase the prevalence of secure data storage across the interwebz.
These guys are after your data! End to end encryption maybe the only way to stop them.
How?
The trick to ensuring true end to end encryption within WordPress, is to encrypt your posts before they are sent back to the server and only decrypt them once they arrive back at browser level. This means that there is no point of failure outside of the computers being used to access the web pages.
Even if the server is hacked, the only thing which could be obtained is a blob of encrypted data. To access the content, either your computer would need to be hacked or you would need to be forced to hand over the encryption key. With the End to end plugin, not even your WordPress installation will be able to decrypt your content, due to it’s use of true end to end encryption.
There is one theoretical attack vector left at this point, due to the server being able to provide malicious JavaScript which could be used to acquire your encryption key. This could be fixed through the use of a browser plugin (see below for more information on this possibility), but in the mean time what I have here will hopefully be sufficient for most people’s purposes.
Downsides
The big downside to end to end encryption, is that you need to provide the encryption keys every time you want to access the content. I may be able to implement encryption key storage via browser offline storage in future, but I haven’t implemented it yet.
You will not be able to perform server side searching with encrypted posts. Since the content is encrypted, WordPress has no way to search through it. Front-end searching is technically possible, but not practically feasible due to the need to download every page on your site before searching.
The normal filters on WordPress content can not be applied (since WordPress can’t read the content anyway). So things like paragraph tags and line breaks need to be manually added. The content you put into the WordPress editor will be read as raw HTML. Any extra content added by plugins will also not work on encrypted posts, including many plugins which add things like social sharing icons (since most of them work by filtering the post content).
Encryption type
The encryption used within the end to end WordPress plugin, is the simple but highly effective AES style encryption provided by Chris Veness. AES is a powerful encryption algorithm based on the Rijndael cipher. This is the exact same cipher used and recommended by many government agencies for top secret data storage and is considered the industry standard for storing extremely sensitive data.
Joan Daemen and Vincent Rijmen, the two Belgian cryptographers who developed the Rijndael cipher, which AES is based on.
To learn more about AES symmetric ciphers, check out Symmetric Ciphers from Leo Laporte and Steve Gibson. To ensure maximal security, it is recommended that use a complex encryption key. Head on over to Steve Gibson’s password haystacks page to help find a suitable password/encryption key.
Innovation?
There is nothing particularly innovative about this WordPress plugin, but it is intended as a way to drop the barrier of entry for those wanting to properly encrypt their own content online. I’ve seen plenty of other tools which claim to protect your data through encryption, but these almost always have failures in some ways. The recent case of the USA authorities compelling Ladar Levison to hand over the SSL keys for the Lavabit email service is a prime example of the problems associated with attempting to secure content with true end to end encryption in place.
Guaranteed?
I’m not guaranteeing anything with this plugin! To the best of my knowledge, the cipher is secure and in principle I believe there is no way to access your data without deploying new JS onto the page, directly attacking your computer or forcing you to hand over the encryption key. But I’m not claiming to be an expert at this stuff, so if I get anything wrong, don’t go pointing the finger at me! Hopefully someone with more knowledge on this subject will be able to review the code and processes for me.
Installation
Note: This is a beta and contains some known issues (see below) which will be fixed shortly.
Download the End to end plugin beta, install it in your WordPress site and activate it.
There will be an encryption key input field above “Publish” when editing a post. If a key is set, then encryption will be applied and you will be prompted to re-enter it to view the content again.
It is critical to ensure that you do not forget the keys. If you forget them, you will never be able to recover the content (which is the point of this plugin - it should be uncrackable).
Note: Since this is true end-to-end encryption, you will be required to enter this EVERY time you access this content.
Showing the editing page when using the End to end WordPress plugin.
Browser plugin
To provide a truly secure system (assuming the users own browser is secure), a browser plugin would be required. This is due to the risk of the server deploying malicious JavaScript which could be used to acquire the encryption key. The browser plugin could block the page itself from loading any JavaScript, then deploy it’s own JavaScript to handle the encryption/decryption process.
Personally, I’m not paranoid enough to require that much protection just yet, but it may be a suitable project for the future perhaps. If anyone would like to tackle it, I’m super keen to work together on it.
Demo
I’ve put up a demo at geek.ryanhellyer.net/encryption-demo. The encryption key for this demo is “test” (but you should never use a key which is this short, I just did it this time since it is here for demo purposes).
Inspiration
I have been storing my own sensitive data in a pseudo-secure way for a long time now and after listening to many episodes of the Security Now podcast by Steve Gibson and Leo Laporte over the past few years, I decided it was time I found a solution to my problems. The End to end encryption plugin now allows me to store anything I like within my WordPress installation without fear that evil doers may be snooping in.
Security Now! with Leo Laporte and Steve Gibson. An excellent resource for learning about how to keep your data secure online.
Ryan Hellyer says:
Kaspars Dambis kindly pointed out that I haven’t handle nonce’s correctly, which is a security problem in itself
It also seems there is some confusion over the use of JavaScript, so I’m going to update the page at some point to explain this issue more clearly. As it stands, there is an attack vector (which I alluded to above) caused by the user of in-page JavaScript. If the server is compromised, then so could the JavaScript it self and so you could inadvertently hand over your encryption key if the JavaScript were attacked. To get around this issue, it will be necessary to write a browser plugin, but hopefully the plugin is useful to many people in it’s current form. It’s certainly better than no protection at all.
I also need to fire an error if you attempt to submit the post without having JavaScript turned on (I hadn’t thought of this issue until now).
December 2, 2013 at 10:28 am # //
Alex McMillan says:
Brilliant, Ryan - this is just the kinda thing we need to begin with. I hope you keep developing it and don’t get bored with it
Cheers,
Alex
December 6, 2013 at 10:56 pm # //
Ryan Hellyer says:
I’m working on it right now It had WAYYY too many bugs, so needed quite a bit of work. I found another bug about two minutes ago too. If you try to use the visual editor in WordPress, it breaks it, which would be okay since you would see it’s broken, but if you decrypt an old message, then flick to the visual editor and hit “Update”, it actually sends your decrypted message back to the server … poop.
Is there any chance you know much about browser plugins Alex? I tried looking through the Chrome documentation but it looked a little confusing to me and I’m hoping I can find someone interested in this stuff who can assist me in building that side of it. It’s okay in it’s current form (once I iron out the bugs), but it’s not truly secure due to the risk of someone tampering with your JavaScript.
December 6, 2013 at 11:01 pm # //
Alex McMillan says:
Sorry Ryan, I’d love to help but I’m committed to too many projects right now as it is and I don’t want to start giving false promises. Good luck tho man - great cause!
December 6, 2013 at 11:50 pm # //
Paul says:
Hey Ryan,
isn’t HTTPS supposed to protect against man in the middle attacks if it’s correctly configured?
http://stackoverflow.com/a/14907718/285564
December 8, 2013 at 1:06 pm # //
Ryan Hellyer says:
https offers protection from client to server. This plugin is attempting to provide protection from client to server, then back to client.
Of course, it is not perfect, since there is the potential for the server to launch a JavaScript attack on you, but that’s why I’m suggesting the construction of a browser plugin to avoid that risk.
December 8, 2013 at 1:09 pm # //
Ryan Hellyer says:
I forgot to mention one other problem with https … if someone has access to the root certificate, then they can decrypt ALL of your traffic, making https kinda useless. It has already been revealed that the NSA has been obtaining expired certificates, which can be used to retrospectively decrypt content even after the certificate has long since expired and is no longer in use.
December 8, 2013 at 1:19 pm # //