State of Go security across versions 1.4.x, 1.5.x, 1.6

[Adrian Sampaleanu]

We are currently using Go 1.4.2 in production. As security is a primary concern in our business and as I'm a Go newbie, I was wondering if anyone could give an opinion on the level of security (in terms of non-hackability, reduced exploitable surface, etc.) offered to the same application running on Go 1.4.x, 1.5.x, and the imminent version 1.6. I'm aware that the compiler and runtime have been rewritten in Go for 1.5 and I presume that at least that factor has some security implications. Would the general advice be to move away from 1.4.x as soon as possible, or to wait for the later versions to prove themselves.

TIA for all opinions, rants, observations.

[Brian Hatfield]

The only CVE I am personally aware of against a version of Go in your list is against 1.5.2 (1.5.3 was released to address this): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8618

On Tue, Feb 2, 2016 at 11:49 AM, Adrian Sampaleanu <nma...@gmail.com> wrote:

We are currently using Go 1.4.2 in production. As security is a primary concern in our business and as I'm a Go newbie, I was wondering if anyone could give an opinion on the level of security (in terms of non-hackability, reduced exploitable surface, etc.) offered to the same application running on Go 1.4.x, 1.5.x, and the imminent version 1.6. I'm aware that the compiler and runtime have been rewritten in Go for 1.5 and I presume that at least that factor has some security implications. Would the general advice be to move away from 1.4.x as soon as possible, or to wait for the later versions to prove themselves.

TIA for all opinions, rants, observations.

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Shawn Milochik]

Of possible interest in this thread:

I ran the SSL Labs TLS test [1] against a server compiled with Go 1.5.3, but got a less than perfect grade for not having perfect forward secrecy. Compiling with 1.6 beta2 fixed that problem, and now I get an A rating.

https://www.ssllabs.com/ssltest/

[Adrian Sampaleanu]

I was aware of this CVE, but my question would be whether, with this patch, 1.5.3 would be seen as more bulletproof compared to 1.4.3 (because this version might be considered deprecated enough in some respects to have various issues resolved) and 1.6rc1 (because it's too new and hasn't proven itself)? If you had to choose from the POV of security, which version would you go with?

[Adrian Sampaleanu]

Shawn, would you be able to run that test against that server compiled with 1.4.3? I'm curious how that stacks up since, as I mentioned to Brian, I'm looking for a relative ranking of the three versions such that a case might be made for switching to one or another sooner rather than later.