Requirement (Gold level): Use basic good cryptographic practices
UlisesGascon opened this issue · comments
We agreed on #1175 to open an issue to follow up a discussion about this requirement for Node.js (cc: @mhdawson @ljharb @RafaelGSS)
The software produced by the project MUST support secure protocols for all of its network communications, such as SSHv2 or later, TLS1.2 or later (HTTPS), IPsec, SFTP, and SNMPv3. Insecure protocols such as FTP, HTTP, telnet, SSLv3 or earlier, and SSHv1 MUST be disabled by default, and only enabled if the user specifically configures it. If the software produced by the project does not support network communications, select "not applicable" (N/A).
Context
- Discussion during the last meeting (Minute 42:46)
- CII Best Practices: Security
- Team Discussion
- See related question in Silver Criteria
Potential actions
TBD
I think Node.js fulfills this criterion.
The software produced by the project MUST support secure protocols for all of its network communications, such as SSHv2 or later, TLS1.2 or later (HTTPS), IPsec, SFTP, and SNMPv3
Arguably, Node.js doesn't have "its network communications," aside perhaps from fetch()
or so, which supports TLS/HTTPS.
One noteworthy exception might be node:dns
/ DNSSEC, which Node.js doesn't support (see nodejs/node#14475) — then again, who would actually use that?
Insecure protocols such as FTP, HTTP, telnet, SSLv3 or earlier, and SSHv1 MUST be disabled by default, and only enabled if the user specifically configures it.
SSLv3 is disabled by default (see tls.DEFAULT_MIN_VERSION
).
HTTP is supported over arbitrary duplex transports, and whether or not said transports are secure (e.g., HTTP over TLS) is entirely up to the user.
Node.js allows applications to opt-in to insecure protocols and cryptographic mechanisms (e.g., weak DH groups and legacy cryptographic algorithms), but since that's strictly opt-in, I guess it doesn't count.
I think it includes core modules - iow, node has the http
and https
modules along with fetch
- so certainly the project supports secure protocols. DNS is a good question.
HTTP being "enabled by default" i think will be the problematic question here.
This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.