WingNews logo WingNews GitHub [2]
top | item 7097645

Bug #9424: ruby 1.9 & 2.x has insecure SSL/TLS client defaults

90 points| mikeevans | 12 years ago |bugs.ruby-lang.org | reply

26 comments

order
[+] steveklabnik|12 years ago|reply
There's been a lot of anger around Twitter on this. I've also seen a lot of people cherry-picking a non-native speaker's words out of context too. Specifically, "Ruby is not a project for security."

That doesn't mean that this bug is not important, or that the Ruby team's decision as it currently stands is a good one. But it's a complex issue.

[+] coherentpony|12 years ago|reply
If someone gave me that sentence, I wouldn't know whether the person that wrote it was a native speaker or not.
[+] insecure_ruby|12 years ago|reply
"It's a complex issues" == Ruby Security Fails again.

It is a crackers dream that so much Ruby code is being exposed to the web these days. Such low hanging fruit. Even the script kiddies laugh at the ease of compromise.

Sigh.

[+] state_machine|12 years ago|reply
"Ruby is not a project for security."

That's from ruby-core. That's a frightening attitude for a project to take.

[+] dperfect|12 years ago|reply
Did you actually read the context of that quote, which happens to communicate almost exactly the opposite of what you're inferring (and implying by quoting it out of context)?
[+] est|12 years ago|reply
Now it's got deleted. Anyone have a screenshot or cache or something?
[+] dontuseruby|12 years ago|reply
At least they are being honest I suppose. If you want a secure language and ecosystem - don't use Ruby.

Security - they've heard of it, at least now.

[+] ces1|12 years ago|reply
Non-SSL expert here and first time poster (not trolling). Python also uses a wrapper for OpenSSL and has similar issues with default settings. Is this problem specific to Ruby or also Python apps as well?
[+] tptacek|12 years ago|reply
The SSL2 ClientHello thing is, IIRC, also a compat hack; Firefox used it (at least until recently) when it connected through proxies.
[+] briansmith|12 years ago|reply
Firefox stopped using it on 2011-08-16. If you've seen Firefox using it recently when connecting through proxies, please let me know.
[+] girvo|12 years ago|reply
So does PHP, though this is fixed in 5.5 IIRC.