←back to thread

Cryptographic Issues in Cloudflare's Circl FourQ Implementation (CVE-2025-8556)

(www.botanica.software)
159 points botanica_labs | 2 comments | 22 Oct 25 14:22 UTC | HN request time: 0.428s | source
Show context
Rygian ◴[22 Oct 25 15:35 UTC] No.45670722[source]
Here's an idea, from a parallel universe: Cloudflare should have been forced, by law, to engage a third party neutral auditor/pentester, and fix or mitigate each finding, before being authorised to expose the CIRCL lib in public.

After that, any CVE opened by a member of the public, and subsequently confirmed by a third party neutral auditor/pentester, would result in 1) fines to Cloudflare, 2) award to the CVE opener, and 3) give grounds to Cloudflare to sue their initial auditor.

But that's just a mental experiment.

replies(6): >>45670816 #>>45670838 #>>45671337 #>>45671605 #>>45672140 #>>45672495 #
jonathanstrange ◴[22 Oct 25 16:12 UTC] No.45671337[source]
What? We're talking about a free open source library (that I happen to use). Nobody who writes and publishes software for free should be subject to any such regulations. That's why the licenses all contain some "provided as is, no warranty" clause.

Otherwise, nobody would ever write non-commercial cryptographic libraries any longer. Why take the risk? (And good luck with finding bugs in commercial, closed source cryptographic libraries and getting them fixed...)

replies(1): >>45671814 #
1. Rygian ◴[22 Oct 25 16:46 UTC] No.45671814[source]
Taking the parallel-universe idea a bit further: for-profit actors must accept financial accountability for the open source software they engage with, whereas not-for-profit actors are exempt or even incentivised.

Build an open-source security solution as an individual? Well done you, and maybe here's a grant to be able to spend more of your free time on it, if you choose to do so.

Use an open-source security solution to sell stuff to the public and make a profit? Make sure you can vouch for the security, otherwise no profit for you.

replies(1): >>45672155 #
2. jonathanstrange ◴[22 Oct 25 17:12 UTC] No.45672155[source]
No thanks, that would kill my one-man software business before I have even started selling a single product, and I'd also have to withdraw every open source repository I have on Github.If you want to pay 10 times more for software and make sure only large corporations sell it to you, your plan is fantastic. Otherwise, not so great.