search

nodejs / security-wg

Node.js Ecosystem Security Working Group
MIT License
488 stars 121 forks source link

Requirement (Gold level): Use basic good cryptographic practices #1189

Open UlisesGascon opened 6 months ago

UlisesGascon commented 6 months ago

We agreed on #1175 to open an issue to follow up a discussion about this requirement for Node.js (cc: @mhdawson @ljharb @RafaelGSS)

The software produced by the project MUST support secure protocols for all of its network communications, such as SSHv2 or later, TLS1.2 or later (HTTPS), IPsec, SFTP, and SNMPv3. Insecure protocols such as FTP, HTTP, telnet, SSLv3 or earlier, and SSHv1 MUST be disabled by default, and only enabled if the user specifically configures it. If the software produced by the project does not support network communications, select "not applicable" (N/A).

Context

Potential actions

TBD

tniessen commented 6 months ago

I think Node.js fulfills this criterion.

The software produced by the project MUST support secure protocols for all of its network communications, such as SSHv2 or later, TLS1.2 or later (HTTPS), IPsec, SFTP, and SNMPv3

Arguably, Node.js doesn't have "its network communications," aside perhaps from fetch() or so, which supports TLS/HTTPS.

One noteworthy exception might be node:dns / DNSSEC, which Node.js doesn't support (see https://github.com/nodejs/node/issues/14475) — then again, who would actually use that?

Insecure protocols such as FTP, HTTP, telnet, SSLv3 or earlier, and SSHv1 MUST be disabled by default, and only enabled if the user specifically configures it.

SSLv3 is disabled by default (see tls.DEFAULT_MIN_VERSION).

HTTP is supported over arbitrary duplex transports, and whether or not said transports are secure (e.g., HTTP over TLS) is entirely up to the user.

Node.js allows applications to opt-in to insecure protocols and cryptographic mechanisms (e.g., weak DH groups and legacy cryptographic algorithms), but since that's strictly opt-in, I guess it doesn't count.

ljharb commented 6 months ago

I think it includes core modules - iow, node has the http and https modules along with fetch - so certainly the project supports secure protocols. DNS is a good question.

HTTP being "enabled by default" i think will be the problematic question here.

github-actions[bot] commented 3 months ago

This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.

github-actions[bot] commented 2 weeks ago

This issue has been inactive for 90 days. It will be closed in 14 days unless there is further activity or the stale label is taken off.