Most active commenters

    Microsoft Maintains Go Fork for FIPS 140-2 Support

    (github.com)
    43 points dschofie | 21 comments | 30 Apr 24 19:02 UTC | HN request time: 1.262s | source | bottom
    1. ◴[30 Apr 24 19:02 UTC] No.40214872[source]
    2. interroboink ◴[30 Apr 24 22:19 UTC] No.40217126[source]
    Does anyone with FIPS experience know what sort of changes are entailed by those requirements?

    This repo doesn't seem to list what sort of high-level/conceptual changes are involved. I could look at the diff, but that sounds exhausting :Þ

    replies(2): >>40217140 #>>40219000 #
    3. bpicolo ◴[30 Apr 24 22:21 UTC] No.40217140[source]
    They document exactly that https://github.com/microsoft/go/tree/microsoft/main/eng/doc/...
    4. metadat ◴[30 Apr 24 22:22 UTC] No.40217149[source]
    There used to be the GO FIPS branch:

    https://github.com/golang/go/tree/dev.boringcrypto/misc/bori...

    But it looks dead for some time.

    However https://github.com/golang-fips/go sprung up to take it's place.

    I wonder why microsoft prefers to maintain it's own in entirety rather than share a piece of the burden.

    replies(2): >>40217321 #>>40218936 #
    5. purpleidea ◴[30 Apr 24 22:36 UTC] No.40217271[source]
    If this doesn't also _add_ some "accidental" backdoor, I'd be surprised.

    Microsoft's security reputation is so flawed, that some parts simply must be intentional, or coerced.

    Don't use this repo. Very interesting TIL about golang at Microsoft. Thanks for sharing.

    replies(3): >>40217309 #>>40217335 #>>40217441 #
    6. tptacek ◴[30 Apr 24 22:39 UTC] No.40217309[source]
    It's built from source. You can just diff it. Of course, you don't have to, because they provide the patches.

    Don't use any FIPS branch of any platform, because FIPS is terrible. But the argument presented here seems facile.

    replies(1): >>40217490 #
    7. abtinf ◴[30 Apr 24 22:40 UTC] No.40217321[source]
    > Our goal is to share this implementation with others in the Go community who have the same requirement, and to merge this capability into upstream Go as soon as possible.

    From the readme.

    8. ◴[30 Apr 24 22:41 UTC] No.40217328[source]
    9. nvy ◴[30 Apr 24 22:42 UTC] No.40217335[source]
    >Microsoft's security reputation is so flawed, that some parts simply must be intentional, or coerced.

    They are a lot better than they used to be. They went through a trial by fire in the 90s and early 00s and came through for the better.

    It's worth noting that classified computer systems in the military-industrial complex run Windows, and not Linux, nor do they run the security cosplay that is OpenBSD.

    10. bitwize ◴[30 Apr 24 22:52 UTC] No.40217441[source]
    Jonathan Blow ranted about the susceptibility of open source to supply chain attacks from state actors, which discussion recently became germane again in light of the xz backdoor.

    What he didn't discuss was how vulnerable proprietary vendors (including, but by no means limited to, Microsoft) are to "rubber-hose vulnerability injection".

    Anyway, it's good to see Microsoft actually participating in the open source process.

    11. SAI_Peregrinus ◴[30 Apr 24 22:57 UTC] No.40217490{3}[source]
    FIPS is terrible, except that sometimes if you shout "FIPS 140 compliance for US gov contracts" enough into the corporate hierarchy you eventually get the budget to implement any security whatsoever, even though it's just FIPS.

    If you're not trying to get US government contracts that require it, don't bother with FIPS. It mandates older algorithms; they're mostly secure enough but not as performant and there are a lot more footguns. FIPS 140-3 fixed a few, but not all.

    replies(1): >>40225166 #
    12. gct ◴[01 May 24 02:36 UTC] No.40218936[source]
    EEE
    replies(3): >>40219488 #>>40224639 #>>40232874 #
    13. korginator ◴[01 May 24 02:39 UTC] No.40218943[source]
    You would be interested in this if you need the 'crypto' library to work in a FIPS 140-2 compliant way. You can switch on / off this mode by setting the runtime variable GOFIPS=1 before running your Go program [1]. Nice.

    It looks like the Go community officially has no plans to support FIPS140-2 any time, so I'm glad to see this alternative.

    [1] https://github.com/microsoft/go/tree/microsoft/main/eng/doc/...

    14. YZF ◴[01 May 24 02:50 UTC] No.40219000[source]
    The general theme is that you need to be using approved ciphers and you need to have your key management code certified by some external entity. It is an exhausting process ;)
    15. metadat ◴[01 May 24 04:25 UTC] No.40219488{3}[source]
    What?
    replies(1): >>40220748 #
    16. camkego ◴[01 May 24 08:11 UTC] No.40220748{4}[source]
    From Wikipedia: https://en.wikipedia.org/wiki/Embrace,_extend,_and_extinguis...

    "Embrace, extend, and extinguish" (EEE),[1] also known as "embrace, extend, and exterminate",[2] is a phrase that the U.S. Department of Justice found[3] was used internally by Microsoft[4] to describe its strategy for entering product categories involving widely used open standards, extending those standards with proprietary capabilities, and using the differences to strongly disadvantage its competitors.

    Please see the Wiki article for the full deal including footnotes.

    17. cosmotic ◴[01 May 24 15:27 UTC] No.40224639{3}[source]
    It's not fair to say EEE in response to every apparently good thing Microsoft does.
    18. dadrian ◴[01 May 24 16:03 UTC] No.40225166{4}[source]
    There's a difference between FIPS approved algorithms, which are actually pretty broad and well-selected these days, and FIPS validated implementations, which are at best a PITA and often actively harmful. Very rarely do you actually need a FIPS-validated implementation.
    19. entropyie ◴[01 May 24 20:33 UTC] No.40229012[source]
    I'd be happy if just made Defender stop detecting all my go binaries as Malware...
    20. bogantech ◴[02 May 24 05:06 UTC] No.40232874{3}[source]
    Ah yes they're going to extinguish Go with a checks notes... open-source fork