←back to thread

Cryptographic Issues in Cloudflare's Circl FourQ Implementation (CVE-2025-8556)

(www.botanica.software)

159 points botanica_labs | 1 comments | 22 Oct 25 14:22 UTC | HN request time: 0.236s | source

Show context

Rygian ◴[22 Oct 25 15:35 UTC] No.45670722[source]▶

>>45669593 (OP) #

Here's an idea, from a parallel universe: Cloudflare should have been forced, by law, to engage a third party neutral auditor/pentester, and fix or mitigate each finding, before being authorised to expose the CIRCL lib in public.

After that, any CVE opened by a member of the public, and subsequently confirmed by a third party neutral auditor/pentester, would result in 1) fines to Cloudflare, 2) award to the CVE opener, and 3) give grounds to Cloudflare to sue their initial auditor.

But that's just a mental experiment.

replies(6): >>45670816 #>>45670838 #>>45671337 #>>45671605 #>>45672140 #>>45672495 #

1. trklausss ◴[22 Oct 25 15:41 UTC] No.45670816[source]▶

What do you mean, practices from safety-critical industries applied to security? Unpossible! (end /s)

For that you need regulation that enforces it. On a global scale it is pretty difficult, since it's a country-by-country thing... If you say e.g. for customers in the US, then US Congress needs to pass legislation on that. Trend is however to install backdoors everywhere, so good luck with that.