←back to thread

Microsoft Maintains Go Fork for FIPS 140-2 Support

(github.com)
43 points dschofie | 3 comments | 30 Apr 24 19:02 UTC | HN request time: 0.633s | source
Show context
purpleidea ◴[30 Apr 24 22:36 UTC] No.40217271[source]
If this doesn't also _add_ some "accidental" backdoor, I'd be surprised.

Microsoft's security reputation is so flawed, that some parts simply must be intentional, or coerced.

Don't use this repo. Very interesting TIL about golang at Microsoft. Thanks for sharing.

replies(3): >>40217309 #>>40217335 #>>40217441 #
1. tptacek ◴[30 Apr 24 22:39 UTC] No.40217309[source]
It's built from source. You can just diff it. Of course, you don't have to, because they provide the patches.

Don't use any FIPS branch of any platform, because FIPS is terrible. But the argument presented here seems facile.

replies(1): >>40217490 #
2. SAI_Peregrinus ◴[30 Apr 24 22:57 UTC] No.40217490[source]
FIPS is terrible, except that sometimes if you shout "FIPS 140 compliance for US gov contracts" enough into the corporate hierarchy you eventually get the budget to implement any security whatsoever, even though it's just FIPS.

If you're not trying to get US government contracts that require it, don't bother with FIPS. It mandates older algorithms; they're mostly secure enough but not as performant and there are a lot more footguns. FIPS 140-3 fixed a few, but not all.

replies(1): >>40225166 #
3. dadrian ◴[01 May 24 16:03 UTC] No.40225166[source]
There's a difference between FIPS approved algorithms, which are actually pretty broad and well-selected these days, and FIPS validated implementations, which are at best a PITA and often actively harmful. Very rarely do you actually need a FIPS-validated implementation.