Introducing CMS Airship: A Secure Content Management System for the Modern Web

From our active involvement in helping the open source community with security issues, we have identified a lot of deficits in the tools and frameworks available to the general public. We've helped where we can, but many times the best solution is incompatible with the project's other goals and many of the risks are poorly understood by developers (many of whom do not proclaim to be security experts).

As we have previously stated, our philosophy towards software development is:

Software should be secure by default. Tools should be simply, yet comprehensively, secure. Cryptography should be boring (PDF).

To further this initiative, we decided to build Airship. And today, we are launching the first public beta.

What is Airship?

Airship is a hybrid of traditional content management systems and application development frameworks. It openly enables developers to build their own applications (called "Cabins"), plugins ("Gadgets"), themes ("Motifs"), and Engine hacks ("Gears"). We ship with two Cabins:

Hull - A powerful and extensible blogging platform

- A powerful and extensible blogging platform Bridge - The control panel for Hull (and any other Cabins)

You can learn more about the specific benefits of Airship from the project page and the documentation in its Github repository.

Keep in mind, Airship is still beta software.

Airship's Design Goals

The first goal of Airship is to be secure. The second goal of Airship is to be usable. Both goals are, in fact, the same goal.

We started with a humble list of requirements:

It must be self-updating (and updates must be digitally signed).

It must be extensible and respect the user's freedom.

It must be designed to allow multiple applications built for it to run side-by-side.

It must be obviously useful out-of-the-box.

Secure Automatic Updates with Libsodium

Two years ago, a SQL injection vulnerability in Drupal was exploited within 7 hours of the fix being released. Verizon's Data Breach Investigation Report for 2015 showed that most data breaches were caused by known vulnerabilities from years prior that remained unfixed for end users.

Meanwhile, security vulnerabilities roll off Google Chrome users like the water off a duck's back. Chrome has automatic security updates built-in. They require almost no interaction from the user.

We're not the first to realize the value in automatic updates. WordPress already offers them, but with a caveat: If wordpress.org ever gets compromised, every WordPress website can be infected with a malicious update. They don't digitally sign their update files with asymmetric cryptography; instead, they rely on transport-layer security (which does nothing if the endpoint is compromised).

Our updates are signed by an Ed25519 keypair, for which the private key is derived from a salt and passphrase only our staff knows, using the state-of-the-art Argon2i key derivation function. Our package signing takes place on a Raspberry Pi that isn't connected to any networks. Even if our website ever gets compromised, no one can infect our users with a trojan without the secret key.

An Extensible Multi-Site Architecture

As stated above, each Airship application is called a Cabin. Hull is a blogging platform, but there is nothing preventing anyone from building a shopping cart or a message board. We've designed Airship to accommodate many different requirements and use-cases while providing a simple management interface.

When it comes to access controls, each Cabin gets to define its own list of "actions". A blog might get by with simple 'CRUD' logic, but another might need to manage 50 different behaviors. When performing a permissions check, the API will always be the same:

if ($perms->can('read')) { // OK } else { // Access denied. }

Our permissions system is powerful in many other ways. Check out the documentation to learn more.

Airship Release Cycle

Today, we launch the first public beta ( v0.1.0 ). In the near future, we should be ready to tag the first official release ( v1.0.0 ). From that point on, we plan on releasing a minor version every three months and a new major version every year. (Patch releases will be released whenever we need to get a security fix out.)

For example, if version 1.0.0 comes out in the first week of June 2016, then v2.0.0 could be expected in June 2017, v3.0.0 in June 2018, etc.

Each major version will require a newer version of PHP.

Airship 1.0 will require PHP 7.0.

Airship 2.0 will require PHP 7.1.

(And so on...)

Each major version of Airship will be supported for two years, followed by one year of security maintenance. Once the security-only period has ended, the corresponding version of PHP will also no longer be supported. Long-term support contracts will be available to purchase from Paragon Initiative Enterprises.

License

Airship is dual-licensed. Airship is Free Software available under GNU Public License (GPL3) for the general public, but companies interested in using Airship to build non-free software may choose to purchase a commercial license from Paragon Initiative Enterprises. The income we derive from commercial license sales will be used to fund Airship development and our security research efforts.