Closed klnusbaum closed 4 years ago
even if rocket supports a high quality TLS library, it's still lacking protections against many other attack vectors, that a well established proxy server offers, as well as more in depth protection by "simply" loading a WAF like ModSecurity.
Agree, we should first target to remove the TLS warning.
How to protect from other attack is another big topic but different than this issue.
how about rewording this
Warning: Rocket's built-in TLS is not considered ready for production use. It is intended for development use only.
to something like
Attention: Even though Rocket uses an excellent built-in TLS library, that alone may not be enough to fully protect an application in production.
how about rewording this
Warning: Rocket's built-in TLS is not considered ready for production use. It is intended for development use only.
to something like
Attention: Even though Rocket uses an excellent built-in TLS library, that alone may not be enough to fully protect an application in production.
What do other web frameworks that have well vetted TLS libraries say in their documentation? I've looked at the documentation for Rails, Gorilla, and Django. None of them have any warnings like this. I think adding this extra information is actually distracting and takes away from the documentation about TLS specifically. IMHO if we want to talk more about security in general, we should instead create a dedicated page called "Securing Rocket Applications".
My vote is to wholesale remove the current warning.
rusttls recently recieved a formal security audit. The outcome of the audit seems pretty encouraging. Specifically:
At this point, would it make sense to remove some of the scary warnings regarding TLS support?