Tor is apparently no longer a safe place to run a marketplace for illegal goods and services. With the alleged operator of the original Silk Road marketplace, Ross Ulbricht, now going to trial, the arrest of his alleged successor and a number of others in a joint US-European law enforcement operation, and the seizure of dozens of servers that hosted "hidden services" on the anonymizing network, the operators of the latest iteration of Silk Road have packed their tents and moved to a new territory: the previously low-profile I2P anonymizing network.
On the surface, I2P (which originally was an acronym for "Invisible Internet Project") is similar in many ways to the Tor Project's anonymizing service. Like Tor, I2P encapsulates and anonymizes communications over the Internet, passing Web requests and other communications through a series of proxies to conceal the location and identity of the user. Like Tor, I2P also allows for the configuration of websites within the network that are concealed from the Internet at large. Called "eepsites," these equivalents to Tor's hidden services can only be reached by using the anonymizing network or a portal site that connects to the I2P proxy network.
But there are some significant differences between Tor and I2P beneath the surface, from the technologies they are based on to how the networks are implemented. In many ways, I2P is a much less mature technology than Tor—but it has the potential to anonymize a greater range of applications and services as it gains adoption, and its architecture is theoretically less vulnerable to the sorts of de-anonymizing attacks that some researchers have claimed to have been able to use against Tor.
As we have continued to refocus on the security of WordPress plugins due to our work on new plugin that warns of known vulnerabilities in WordPress plugins the question of who has a responsibility for improving the security of WordPress plugins has come up. Relying on the developers of the plugins to insure they are secure doesn’t seem to be working as many of the vulnerabilities we have reviewed are things that are not the result of complex issues, so they could have been prevented with relatively basic security precautions. Since WordPress is a volunteer effort expecting that those volunteers would be responsible for the overall security of third-party software doesn’t see right. But what about the company closely connected with WordPress, Automattic? With a valuation of over billion dollars they certainly have the financial wherewithal to bear the burden of some responsibility, but in the past we would have said no since they didn’t seem to have a direct connection with plugins, but as we recently stumbled upon they are taking advantage of them for business purposes.
Recently a reflected cross-site scripting (XSS) vulnerability was discovered in the Frontend Uploader plugin. After confirming that the vulnerability existed in the most recent version we went looking for a way to contact the developer of the plugin to alert that the vulnerability existed in their plugin. While doing that we came across a page for the plugin at Automattic’s Wordpress.com VIP, a service where you can pay starting amounts of $5,000 a month for hosting and $1,250 for support. It turns out they offer a number of the plugins from the wordpress.org Plugin Directory to the customers of their VIP service. They tout those plugins (as partner integration) with this:
We’ve added 200+ extra features on top of WordPress for everyone on WordPress.com—and just for VIPs, we’ve added the additional plugins below, which can be integrated into your sites with a single-click, so you can take advantage of powerful partner integrations and features without touching a line of code.
Based on all of this we certainly think that Automattic has a responsibility for improving the security of WordPress plugins since they are getting benefit from them.
If they are going to live up to that responsibility they have a lot of work to do, as can be seen in this case. After the vulnerability was disclosed in a plugin they are redistributing they don’t appear to have done anything about. As far as we can tell the vulnerability was only fixed after we reported the vulnerability to the people running the WordPress.org Plugin Directory (since we couldn’t find a direct contact for the developers of the plugin) and them pulling the plugin pending a fix. While the plugin was gone from the Plugin Directory it was still listed on the WordPress.com VIP website, though we don’t know if they continued to distribute it. It doesn’t even look as if people using WordPress.com VIP would know that the plugin had a vulnerability fixed since the changelog makes no mention of the new version, 1.9.3, or the security fix in it (which unfortunately is an all to common problem when plugins receive security fixes).