Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Requirement (Gold level): Use basic good cryptographic practices #1189

Open
UlisesGascon opened this issue Jan 4, 2024 · 3 comments
Open

Requirement (Gold level): Use basic good cryptographic practices #1189

UlisesGascon opened this issue Jan 4, 2024 · 3 comments

Comments

@UlisesGascon
Copy link
Member

We agreed on #1175 to open an issue to follow up a discussion about this requirement for Node.js (cc: @mhdawson @ljharb @RafaelGSS)

The software produced by the project MUST support secure protocols for all of its network communications, such as SSHv2 or later, TLS1.2 or later (HTTPS), IPsec, SFTP, and SNMPv3. Insecure protocols such as FTP, HTTP, telnet, SSLv3 or earlier, and SSHv1 MUST be disabled by default, and only enabled if the user specifically configures it. If the software produced by the project does not support network communications, select "not applicable" (N/A).

Context

Potential actions

TBD
@tniessen
Copy link
Member

tniessen commented Jan 6, 2024

I think Node.js fulfills this criterion.

The software produced by the project MUST support secure protocols for all of its network communications, such as SSHv2 or later, TLS1.2 or later (HTTPS), IPsec, SFTP, and SNMPv3

Arguably, Node.js doesn't have "its network communications," aside perhaps from fetch() or so, which supports TLS/HTTPS.

One noteworthy exception might be node:dns / DNSSEC, which Node.js doesn't support (see nodejs/node#14475) — then again, who would actually use that?

Insecure protocols such as FTP, HTTP, telnet, SSLv3 or earlier, and SSHv1 MUST be disabled by default, and only enabled if the user specifically configures it.

SSLv3 is disabled by default (see tls.DEFAULT_MIN_VERSION).

HTTP is supported over arbitrary duplex transports, and whether or not said transports are secure (e.g., HTTP over TLS) is entirely up to the user.

Node.js allows applications to opt-in to insecure protocols and cryptographic mechanisms (e.g., weak DH groups and legacy cryptographic algorithms), but since that's strictly opt-in, I guess it doesn't count.

@ljharb
Copy link
Member

ljharb commented Jan 6, 2024

I think it includes core modules - iow, node has the http and https modules along with fetch - so certainly the project supports secure protocols. DNS is a good question.

HTTP being "enabled by default" i think will be the problematic question here.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Apr 6, 2024

This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.

@github-actions github-actions bot added stale and removed stale labels Apr 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ljharb @tniessen @UlisesGascon