Excellent blog post from Filippo on legacy SSL brokenness and Go 1.17
75 views
Skip to first unread message
Amnon
Sep 17, 2021, 2:03:14 AM9/17/21
to golang-nuts
https://go.dev/blog/tls-cipher-suites
In case anyone has not seen it, Filippo has published a blog post which shows
how SSL Cypher Suite negotiation is fundamentally broken in the older TLS versions.
My understanding of the post is that to run a secure server on the internet,
just make sure you are building with Go 1.17.1 (or whatever is the latest version),
you no longer need to specify choice of secure CipherSuites that you accept.
Go's Crypto will just do the right thing, and as application developers we no longer
need to get involved in the details.
This supersedes the advice in Flippo's 2016 Cloudflare post on the subject,
(though setting sensible timeouts to mitigate DDOS attacks is still a good idea).
Have I understood this right?
In case anyone has not seen it, Filippo has published a blog post which shows
how SSL Cypher Suite negotiation is fundamentally broken in the older TLS versions.
My understanding of the post is that to run a secure server on the internet,
just make sure you are building with Go 1.17.1 (or whatever is the latest version),
you no longer need to specify choice of secure CipherSuites that you accept.
Go's Crypto will just do the right thing, and as application developers we no longer
need to get involved in the details.
This supersedes the advice in Flippo's 2016 Cloudflare post on the subject,
(though setting sensible timeouts to mitigate DDOS attacks is still a good idea).
Have I understood this right?
Reply all
Reply to author
Forward
0 new messages