You guys know I like to bash Go, but... FUCK!
"The Go security team has determined that the root causes of the vulnerabilities cannot be reliably addressed."
Ok, your language design has some serious flaw that can't be fixed, so they are basically saying "Yup, a core library is going to be vulnerable for a long time".
Also, this is going since August 2020, according to the related post. Project Zero works way fast (30 days) to disclose issues on every other project, but on a project from their own company, 4 months.
Google surely cares about the well-being of the internet, sure.
Link: https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
@rysiek You're sooooo lucky that I wasn't drinking any coffee when reading that, otherwise you'd own me a new keyboard. 😜
@juliobiason thanks to high security standards of the tech industry, somebody else might have in fact already owned your keyboard...
@craigmaloney Shussh. Don't spoil the solution I'll point on my blog post! 😜
@juliobiason Eh... I think the real issue according to the Mastodon post and most commenters is that SAML does a hash before serialization - which is something we all know is a bad idea now.
Sure - the golang issue isn't great, but everyone has pointed out that the stdlib xml encoding was never meant for cryptographically secure purposes.
I'd still take the golang stdlib any day for all of its usefulness out of the box if this is the first (and honestly... meh) trade-off.
@juliobiason I found the comments on the HN post to be pretty interesting. I learned a lot more about XML specs and how difficult they are to manage and implement.
@juliobiason Wait, we still believe that Google Project Zero is independent? Lol, I have a rich Nigerian uncle that wants to meet you.
@patrick It shouldn't sound like that.
My annoyance is the fact that both projects, Project Zero and go, are under the G umbrella, but it seems PZ goes great lengths to point issue on several product but none on the company products.
Also, by their reports, it seems PZ have some great resources in finding issues.
This dichotomy of products inside the same company is the annoying part: Why not use PZ resources on G products themselves?
I can even put my paranoid hat and say that G does not do this with their own product to keep PZ doing disclosures in 30 days, while giving their own products more time to adjust themselves.
It is really weird that they could seriously use their resources to improve their own products, but instead decided to use to point problems in others.
@juliobiason why is it necessarily language design? It is an XML API, sure there is a safe way to do it.
@juliobiason no no, you don't get it, it's part of Google's plan to get people to stop using XML.
o b v i o u s l y