←back to thread

Cryptographic Issues in Cloudflare's Circl FourQ Implementation (CVE-2025-8556)

(www.botanica.software)
159 points botanica_labs | 1 comments | 22 Oct 25 14:22 UTC | HN request time: 0s | source
Show context
Rygian ◴[22 Oct 25 15:35 UTC] No.45670722[source]
Here's an idea, from a parallel universe: Cloudflare should have been forced, by law, to engage a third party neutral auditor/pentester, and fix or mitigate each finding, before being authorised to expose the CIRCL lib in public.

After that, any CVE opened by a member of the public, and subsequently confirmed by a third party neutral auditor/pentester, would result in 1) fines to Cloudflare, 2) award to the CVE opener, and 3) give grounds to Cloudflare to sue their initial auditor.

But that's just a mental experiment.

replies(6): >>45670816 #>>45670838 #>>45671337 #>>45671605 #>>45672140 #>>45672495 #
jjk7 ◴[22 Oct 25 15:42 UTC] No.45670838[source]
The license reads: 'THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"'.
replies(1): >>45671742 #
Rygian ◴[22 Oct 25 16:42 UTC] No.45671742[source]
If you bought a car and your dealer had you sign an EULA with that sentence in it (pertaining specifically to the security features of your car), would you feel safe to ride it at highway speeds?
replies(2): >>45672019 #>>45672080 #
stonemetal12 ◴[22 Oct 25 17:00 UTC] No.45672019[source]
Every used car sold outside of the major brand's certified used car programs is "As Is". So yeah, I would.
replies(1): >>45672171 #
1. AlotOfReading ◴[22 Oct 25 17:13 UTC] No.45672171[source]
Speaking to US laws, auto manufacturers are required to fix design bugs that cause safety issues regardless of warranty or used status, at no cost to the owner. You may be familiar with the standard name for those fixes, "recalls". It's illegal to sell a vehicle with unresolved recalls, though the government deliberately avoids enforcing that as aggressively as they could.

It's a very different system from software's "NO WARRANTY OF ANY KIND".