A few weeks ago, you may have received notification about a security update to add support for an additional FreePBX master key. A few of you asked us “what is this for?” or “what does this mean for FreePBX?”
- Increase the size of the master key, in order to keep current with security best practices
- New key provides a faster, more reliable public key infrastructure lookups
- Invite 3rd party developers with existing signing keys to get their keys re-signed with the new master key
For those that are not familiar with the way that FreePBX uses GPG keys, they are used to cryptographically sign FreePBX modules that are to be installed on a PBX system. As with modern operating systems, the module installer verifies that the modules have been distributed by an authorized source, i.e. the one that owns the FreePBX master key.
This also allows FreePBX to verify that modules have not been tampered with by potential bad actors (such as hackers, for one example) trying to modify the module code to (for instance) insert backdoors into the system. All in all, it’s a very strong “net positive” from a system security perspective and allows administrators to better trust that their FreePBX systems are not compromised.
GPG Master Key Size
Over the years, the standard best practices encouraged administrators to increase the cryptographic key size. We have chosen to increase our key size to 4KB which is inline with more current best practices.
GPG Key Infrastructure
FreePBX utilized the public key infrastructure for verification of 3rd-party-developers’ keys in order to ensure that they were signed by the FreePBX Master key, which is owned by Sangoma.
Infrastructure such as this can be susceptible to external attacks. That kind of an attack could result in a Sangoma public master key “poisoning”, as it’s called. While the word “poison” sounds scary, it does not mean that the key was lost or compromised – it just means that FreePBX module signature verification could take an inexplicably long time or potentially time out due to FreePBX being unable to retrieve the public key from a key server.
In order to work around this problem, FreePBX developers chose to bypass usage of the public key infrastructure by bundling the public side of the FreePBX master key with the FreePBX distribution, effectively making poisoning a non-issue.
What about the old key?
A few of you have seen comments/posts from 3rd parties not affiliated with Sangoma, that claimed or speculated that Sangoma was going to cancel the old key. Comments from sources outside of Sangoma, about what Sangoma may be planning are probably not reliable, so if you ever have any questions or concerns about something of this nature, please contact me or Jared Smith.
We understand that deprecating the old signing key would be very disruptive to the FreePBX community. Thus, there are no current plans at Sangoma to deprecate the old master key. If circumstances in the future change, it would be done in such a way to minimize disruption.
FreePBX modules signed with the old master key and the 3rd-party-signed developer keys will continue to work.
But we do strongly encourage developers with existing signed keys to reach out to us at firstname.lastname@example.org to have their keys re-signed with the new more secure master key. We also invite any new open source module developers that want to have their keys signed to reach out to us as well.
Separately from the key updates, Sangoma is even exploring ways to offer 3rd party developers access to building and distributing commercial modules. We’ve been asked this a few times over the years and know that historically it was challenging for developers and companies to do so. So we see this as one of the areas we may be able to improve upon and be more flexible, under commercial agreement.
As good stewards of the FreePBX project, Sangoma is working hard to improve and maintain security while offering innovative ways for developers and customers to continue to work with us even more closely and cooperatively in the future.
I would like to conclude by thanking everyone who is involved in pushing the project forward. This includes those of you that help to answer questions in the community forums, submit wiki documentation, contributing patches to the codebase, and any other way you might be contributing. Each person’s efforts in doing so is vital for the life and success of the project.
I wish all of you the best, and look forward to any questions you might have.