[Security] Don't use external service to generate QR code

+1

Depending on a no longer maintained QRcode lib doesn’t seem like a good idea.

Best regards
Henrik Schack

Well, it is a much better idea then sharing a secret with an external service. Also, the library works and there are recent updates on the github page I linked above.

Let’s take a moment and think about what it is this plugin is supposed to do.

I assume you have nothing secret on a public visible blog.
So I guess what matters the most is that unauthorized people don’t get access to your administrationbackend and post a lot of porn-crap or malware infection kits etc.

With this in mind I don’t think getting a QRcode from Googles servers over HTTPS is a risk worth mentioning.

Best regards
Henrik Schack

Hello I agree with @henrik Schack.

Sharing the QRcode with Google Servers is probably one of the most safest methods of applying this security Authentication option. Google will always take the correct action to protect websites that are displayed by their search engines and are monitored and managed by their Servers.

Google would never carry out any action that would go against their security policies.

I trust Google and that is why I use Google search engine 98% of the time.

In my humble opinion.

Kind regards

I really hope the post by @mbrsolution is meant as satire ??

Anyway, I still don’t understand what advantages you have from using the Google API. Instead, I see several advantages from using a library on the server even if we totally ignore the security implications for a minute:

• You don’t need to adapt to possible Google API changes.
• Creating the QR code is faster as you don’t have a HTTP roundtrip.
• You don’t need to prepare your code for situations when the API is not available.
• You only implement the QR code library usage once (it’s 3 lines of code).

So even if the library is unmaintained, it shouldn’t be a big deal as it does the job, the QR code algorithm isn’t changing and the library will most likely be compatible with many future PHP versions.

Hi

I see nothing but advantages from using the Google API.

There has been no API changes during the time I’ve used the Google API

Speed ? seems a bit irellevant it’s way fast enough. The added code from the QRCode lib would only stress lowmemory installations further.

Google down ? Now that was a joke right ??

I won’t include that huge lib just to generate a QR code.

Best regards
Henrik Schack

Unfortunately, Google down and API changes is not a joke, have experienced that several times in the last 5 years.

Anyway, your decision, but please state clearly on the documentation section that the secret gets shared with Google to generate the API key. I think that’s the absolute minimum you have to do so that the users of the plugin can make a decision on their own whether that’s important for them.

Google will always take the correct action to protect websites that are displayed by their search engines and are monitored and managed by their Servers. Google would never carry out any action that would go against their security policies.

1) I like Google, I think they’re trustworthy, but that’s not the point. If you’re serious about security, you don’t rely on trust. You minimize your vulnerabilities as much as possible, because you can never foresee how circumstances will change in the future, or how something could be exploited in ways you never thought of.

2) Even if you trust Google, do you trust the NSA? Because they’ll intercept communication between your host’s network and Google, and between Google’s data centers. Do you assume that they’re not capable of decrypting the data? Even if you do trust the NSA, do you trust that Wikileaks won’t get ahold of some of the data the NSA captured and release it publicly?

The bottom line is that using a remote API unnecessarily exposes the application to additional vulnerabilities that wouldn’t be present if it the QR code were generated locally instead.

Sebastian, I’d encourage you to see if you can write an add-on plugin for Google Authenticator that will disable the default QR generation method and replace it with that library. That approach worked well for me when I wanted to move the token prompt to a separate screen.

Maybe Henrik would be open to adding any necessary hooks to the plugin to facilitate your add-on. I think that would be a good compromise, since it would allow people to have the option avoiding the remote API call, but wouldn’t have to change the core plugin to do it.

Hi @ian Dunn I agree with your point ??

My humble apologies if my words were not written in the interest of security but perhaps they were more intended to compliment @henrik Schack the plugin developer for his hard work with this great plugin.

Kind regards

perhaps they were more intended to compliment @henrik Schack the plugin developer for his hard work with this great plugin.

No doubt. Google Authenticator is one of the most useful WordPress security plugins in my opinion, and I use it on all my sites. Regardless of any differing opinions on specific points, Henrik has done a great job, and the plugin is a great contribution to the WordPress community.

@ian: Sure, I’m happy to help wherever I can. I’m maintaining a WP plugin and I also used this PHP QR Code library before, so it is really just a matter of a few hours to get everything together!

FYI, Henrik added a notification about the remote call in r834053.

QR codes are now created using Javascript.

Awesome, thanks Henrik ??