Requirement (Gold level): Use basic good cryptographic practices

Question

Requirement (Gold level): Use basic good cryptographic practices

UlisesGascon opened this issue 5 months ago · comments

We agreed on #1175 to open an issue to follow up a discussion about this requirement for Node.js (cc: @mhdawson @ljharb @RafaelGSS)

The software produced by the project MUST support secure protocols for all of its network communications, such as SSHv2 or later, TLS1.2 or later (HTTPS), IPsec, SFTP, and SNMPv3. Insecure protocols such as FTP, HTTP, telnet, SSLv3 or earlier, and SSHv1 MUST be disabled by default, and only enabled if the user specifically configures it. If the software produced by the project does not support network communications, select "not applicable" (N/A).

Context

Discussion during the last meeting (Minute 42:46)
CII Best Practices: Security
Team Discussion
See related question in Silver Criteria

Potential actions

TBD

Tobias Nießen · Answer 1 · Sat Jan 06 2024 09:37:39 GMT+0800 (China Standard Time)

I think Node.js fulfills this criterion.

The software produced by the project MUST support secure protocols for all of its network communications, such as SSHv2 or later, TLS1.2 or later (HTTPS), IPsec, SFTP, and SNMPv3

Arguably, Node.js doesn't have "its network communications," aside perhaps from fetch() or so, which supports TLS/HTTPS.

One noteworthy exception might be node:dns / DNSSEC, which Node.js doesn't support (see nodejs/node#14475) — then again, who would actually use that?

Insecure protocols such as FTP, HTTP, telnet, SSLv3 or earlier, and SSHv1 MUST be disabled by default, and only enabled if the user specifically configures it.

SSLv3 is disabled by default (see tls.DEFAULT_MIN_VERSION).

HTTP is supported over arbitrary duplex transports, and whether or not said transports are secure (e.g., HTTP over TLS) is entirely up to the user.

Node.js allows applications to opt-in to insecure protocols and cryptographic mechanisms (e.g., weak DH groups and legacy cryptographic algorithms), but since that's strictly opt-in, I guess it doesn't count.

Jordan Harband · Answer 2 · Sun Jan 07 2024 06:16:28 GMT+0800 (China Standard Time)

I think it includes core modules - iow, node has the http and https modules along with fetch - so certainly the project supports secure protocols. DNS is a good question.

HTTP being "enabled by default" i think will be the problematic question here.

github-actions · Answer 3 · Sat Apr 06 2024 08:13:32 GMT+0800 (China Standard Time)

This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.