I don't know many people who actually work in cryptography who believe that verification is cheaper and easier than building systems.

People absolutely do, for the most part, trust DJB because of his track record. Find 10 people who have adopted Poly1305 and ask them what Poly1305 does better than GCM. That's not to say their decision is uninformed; rather, they've delegated a very specialized part of the decision that very few people are actually qualified to make out to an expert they trust, and trust for good reason.

In practical cryptography, the opposite approach --- people who trust nothing until they verify it from first principles --- is extremely problematic. That's how you end up with oddball libraries that only look like they can do a secure scalar multiplication or reliably add two numbers together. As Bruce Schneier is fond of pointing out, everyone can design a system they themselves can't break.

Magento is incompetent on much simpler levels than this.

1. Someone thought chmod 777 was a good idea, ever, under any circumstances. Not only is this standard practice in Magento installs (it's a how-to step in many books on Magento), it's all through the actual codebase.

The below is from the Magento Enterprise 1.14.0.1 tarball, downloaded from the company (and I double-checked this after someone questioned this last time I brought this up):

  $ grep -r chmod .|grep 777
  ./downloader/lib/Mage/Backup/Filesystem.php: chmod($backupsDir, 0777);
  ./app/code/core/Mage/Compiler/Model/Process.php: @chmod($dir, 0777);
  ./app/code/core/Mage/Install/Model/Installer/Console.php: @chmod('var/cache', 0777);
  ./app/code/core/Mage/Install/Model/Installer/Console.php: @chmod('var/session', 0777);
  ./app/code/core/Mage/Install/Model/Installer/Config.php: chmod($this->_localConfigFile, 0777);
  ./app/code/core/Mage/Catalog/Model/Product/Attribute/Backend/Media.php: $ioAdapter->chmod($this->_getConfig()->getTmpMediaPath($fileName), 0777);
  ./app/Mage.php: chmod($logDir, 0777);
  ./app/Mage.php: chmod($logFile, 0777);
  ./lib/Zend/Service/WindowsAzure/CommandLine/PackageScaffolder/PackageScaffolderAbstract.php: @chmod($path, '0777');
  ./lib/Zend/Service/WindowsAzure/CommandLine/PackageScaffolder/PackageScaffolderAbstract.php: @chmod($path, 0777);
  ./lib/Zend/Service/WindowsAzure/CommandLine/PackageScaffolder/PackageScaffolderAbstract.php: @chmod($path, 0777);
  ./lib/Zend/Cloud/StorageService/Adapter/FileSystem.php: chmod($path, 0777);
  ./lib/Varien/Autoload.php: @chmod($this->_collectPath, 0777);
  ./lib/Varien/File/Uploader.php: chmod($destinationFile, 0777);
  ./lib/Mage/Backup/Filesystem.php: chmod($backupsDir, 0777);
  ./errors/processor.php: @chmod($this->_reportFile, 0777);

2. The company thinks there's nothing wrong with storing money as floats: https://github.com/magento/magento2/issues/555

The way we eventually dealt with hosting Magento (which we had strongly advised against) was a concrete sarcophagus and a thirty-kilometre exclusion zone:

* a cron line specifically to remove o-w permissions from all files in the webroot every minute (which is very inelegant, but the alternative is maintaining our own patches to core).

* Files not owned www-data, except where Magento must be able to write to them.

* deploy all webroot files as a user the webserver can't write.

* cron.sh (Magento's internal cron) runs as root out of the box. We ran it as www-data.

* AppArmor to keep Magento from ever, ever being able to pull shit. This caught Magento's more antisocial tendencies on more than one occasion.

* Admin login: use a path other than "/admin" to foil quite a lot of attack bots at the very simplest level.

We have outsourced our remaining Magento, thankfully, and I don't personally have to maintain the above any more. (You know you've been administering Magento a bit long when you can hum along to bits of "Metal Machine Music" accurately.)

The use case for Magento is (apparently deliberately) confused. It's an unholy melange of a CMS and a shopping basket. There is no good out-of-the-box experience; in practice it's a job creation scheme for consultants.

Even crap-tier "well technically I can tell my boss's boss we have paid support" support, with a four-day response time for them to ask you a simple question you already put the answer to in the original ticket, is swingeingly expensive. I can't say what we're paying for this standard of quality, but I can say that it's public knowledge that Magento is at least $13k/yr: http://web.archive.org/web/20120215011525/http://www.magento...

The problem Magento seems to solve is when the business wants a quick site without developer involvement. After a few other abortive platforms (Plone, Drupal - which are both fine for what they are, in ways Magento just isn't, but didn't end up matching our needs), our eventual solution to this was Wordpress, which we have outsourced so I don't have to think about that either. Outsourced Wordpress with securing it being the host's problem is totally the right answer.

I don't have a good answer on the shopping basket, but Magento was bad enough at that too that we went back to our in-house homerolled system.

I understand some work has gone into Magento 2.0 to make it less mind-bogglingly horrible.

PCI-DSS says 112 bits of security is "strong cryptography", just so people can continue using 3DES.

  Never again worry about zero-days.

That's pure snake oil. The little asterisk compounds their mistake:

  Because updates are securely installed within one
  hour of their availability, the time-scale of a
  fix being applied is no longer meaningfully
  measured in days. Zero hours are the new zero
  days.

That's not what "zero day" means. It isn't the time between a security fix becoming available and a vulnerable system installing said patch. Rather, it's the time between a vulnerability being discovered and said vulnerability being disclosed. It's great that this vendor has mechanism for quickly distributing security updates, but that isn't going to mitigate zero day vulnerabilities. Rather, zero days would be mitigated by SDLC activities that would help them discover novel vulnerabilities in their code, like design/code reviews, static analysis, or fuzzing. If they want to reassure their customers that they're good at infosec, then they need to do a lot more than spout some BS about how their automatic update mechanism stops zero days when it can't.

Looks nice on the surface. The only thing that leaps out at me from the readme, is the lack of a suggested way to store/recover the salt? Ideally I'd see a function that takes a "password" and some "plaintext" - generates a salt from an OS provided source, an IV (if applicable) and returns a package of the cipher-text along with the salt (and IV).

I suppose there might be instances where the cipher-text without the salt might be useful -- but I can't immediately think of any. Keeping the salt "semi-secret" is akin to using a two-key system: the password the user knows, and the salt that the server knows -- but it strikes me as a brittle way of doing things, and provides unclear promises wrt. availability etc (can the user always recover the data, only remembering the password?).

One could of course construct such a function on top of the primitives provided here - but I think it would make a lot of sense to provide something along the lines of:

  * sym_enc(password, plaintext) >
     -> returns "box" autogenerated-salt|ciphertext
     -> possibly with a version header, indicating
        KDF (&enc algo) used (could just be a magic
        number)
    Should obviously use an AEAD mode

 * syn_dec(password, box)
    -> retrieves key by getting KDF, salt from
       box, regenerating key
    -> and returns decrypted plaintext

There's nothing wrong with exposing the KDF-functions I suppose, but it feels like it's aiming a bit low, in close proximity to ones feet.

Thanks for your hard work. I'll try to use it in some future projects