Most active commenters
  • Rygian(5)

←back to thread

Cryptographic Issues in Cloudflare's Circl FourQ Implementation (CVE-2025-8556)

(www.botanica.software)
159 points botanica_labs | 16 comments | 22 Oct 25 14:22 UTC | HN request time: 0.225s | source | bottom
1. Rygian ◴[22 Oct 25 15:35 UTC] No.45670722[source]
Here's an idea, from a parallel universe: Cloudflare should have been forced, by law, to engage a third party neutral auditor/pentester, and fix or mitigate each finding, before being authorised to expose the CIRCL lib in public.

After that, any CVE opened by a member of the public, and subsequently confirmed by a third party neutral auditor/pentester, would result in 1) fines to Cloudflare, 2) award to the CVE opener, and 3) give grounds to Cloudflare to sue their initial auditor.

But that's just a mental experiment.

replies(6): >>45670816 #>>45670838 #>>45671337 #>>45671605 #>>45672140 #>>45672495 #
2. trklausss ◴[22 Oct 25 15:41 UTC] No.45670816[source]
What do you mean, practices from safety-critical industries applied to security? Unpossible! (end /s)

For that you need regulation that enforces it. On a global scale it is pretty difficult, since it's a country-by-country thing... If you say e.g. for customers in the US, then US Congress needs to pass legislation on that. Trend is however to install backdoors everywhere, so good luck with that.

3. jjk7 ◴[22 Oct 25 15:42 UTC] No.45670838[source]
The license reads: 'THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"'.
replies(1): >>45671742 #
4. jonathanstrange ◴[22 Oct 25 16:12 UTC] No.45671337[source]
What? We're talking about a free open source library (that I happen to use). Nobody who writes and publishes software for free should be subject to any such regulations. That's why the licenses all contain some "provided as is, no warranty" clause.

Otherwise, nobody would ever write non-commercial cryptographic libraries any longer. Why take the risk? (And good luck with finding bugs in commercial, closed source cryptographic libraries and getting them fixed...)

replies(1): >>45671814 #
5. semiquaver ◴[22 Oct 25 16:29 UTC] No.45671605[source]
Seems like you want open source software to die.
replies(1): >>45671723 #
6. Rygian ◴[22 Oct 25 16:40 UTC] No.45671723[source]
A more charitable interpretation could be "seems like you want large corporations, which have the financial means, to take security seriously and build a respectable process before publishing security solutions whatever the license".
replies(1): >>45674327 #
7. Rygian ◴[22 Oct 25 16:42 UTC] No.45671742[source]
If you bought a car and your dealer had you sign an EULA with that sentence in it (pertaining specifically to the security features of your car), would you feel safe to ride it at highway speeds?
replies(2): >>45672019 #>>45672080 #
8. Rygian ◴[22 Oct 25 16:46 UTC] No.45671814[source]
Taking the parallel-universe idea a bit further: for-profit actors must accept financial accountability for the open source software they engage with, whereas not-for-profit actors are exempt or even incentivised.

Build an open-source security solution as an individual? Well done you, and maybe here's a grant to be able to spend more of your free time on it, if you choose to do so.

Use an open-source security solution to sell stuff to the public and make a profit? Make sure you can vouch for the security, otherwise no profit for you.

replies(1): >>45672155 #
9. stonemetal12 ◴[22 Oct 25 17:00 UTC] No.45672019{3}[source]
Every used car sold outside of the major brand's certified used car programs is "As Is". So yeah, I would.
replies(1): >>45672171 #
10. TheDong ◴[22 Oct 25 17:05 UTC] No.45672080{3}[source]
If I went to a lot that had a sign at the entrance saying "Open Source Cars, feel free to open the hood and look to learn stuff. No warranty implied. Some may not function. All free to duplicate, free to take parts from, and free to take home", and then took a car from the lot and drove it home, no I would not be surprised if it fell apart before getting out of the lot.

When you purchase a car, you pay actual money, and that adds liability, so if it implodes I feel like I can at least get money back, or sue the vendor for negligence. OSS is not like that. You get something for free and there is a big sign saying "lol have fun", and it's also incredibly well known that software is all buggy and bad with like maybe 3 exceptions.

> If you bought a car and your dealer had you sign an EULA with that sentence in it (pertaining specifically to the security features of your car)

If the security features are implemented in software, like "iOS app unlock", no I would not expect it to actually be secure.

It is well known that while the pure engineering disciplines, those that make cars and planes and boats, mostly know what they're doing... the software engineering industry knows how to produce code that constantly needs updates and still manages to segfault in so much as a strong breeze, even though memory safety has been a well understood problem for longer than most developers have been alive.

replies(1): >>45672452 #
11. ramon156 ◴[22 Oct 25 17:10 UTC] No.45672140[source]
Lol based on what law? They're doing nothing illegal. Insane take
12. jonathanstrange ◴[22 Oct 25 17:12 UTC] No.45672155{3}[source]
No thanks, that would kill my one-man software business before I have even started selling a single product, and I'd also have to withdraw every open source repository I have on Github.If you want to pay 10 times more for software and make sure only large corporations sell it to you, your plan is fantastic. Otherwise, not so great.
13. AlotOfReading ◴[22 Oct 25 17:13 UTC] No.45672171{4}[source]
Speaking to US laws, auto manufacturers are required to fix design bugs that cause safety issues regardless of warranty or used status, at no cost to the owner. You may be familiar with the standard name for those fixes, "recalls". It's illegal to sell a vehicle with unresolved recalls, though the government deliberately avoids enforcing that as aggressively as they could.

It's a very different system from software's "NO WARRANTY OF ANY KIND".

14. Rygian ◴[22 Oct 25 17:34 UTC] No.45672452{4}[source]
> then took a car from the lot and drove it home, no I would not be surprised if it fell apart before getting out of the lot.

Congrats, the brakes failed, you caused bodily damage to an innocent bystander. Do you take full responsibility for that? I guess you do.

Now build a security solution that you sell to millions of users. Have their private data exposed to attackers because you used a third party library that was not properly audited. Do you take any responsibility, beyond the barebones "well I installed their security patches"?

> It is well known that while the pure engineering disciplines, those that make cars and planes and boats, mostly know what they're doing... the software engineering industry knows how to produce code that constantly needs updates and still manages to segfault in so much as a strong breeze, even though memory safety has been a well understood problem for longer than most developers have been alive.

We're aligned there. In a parallel universe, somehow we find a way to converge. Judging by the replies and downvotes, not on this universe.

15. qeternity ◴[22 Oct 25 17:37 UTC] No.45672495[source]
People really just go on the internet and say stuff.

Code is speech. Speech is protected (at least in the US).

16. semiquaver ◴[22 Oct 25 19:56 UTC] No.45674327{3}[source]
All software is a security solution in one way or another. If open sourcing something risked massive liability no one would do it.