Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Crypto Go :we are a research group to help developers build secure applications. #292

Open
1047261438 opened this issue Aug 28, 2022 · 1 comment

Comments

@1047261438
Copy link

Hi, we are a research group to help developers build secure applications. We designed a cryptographic misuse detector (i.e., CryptoGo) on Go language. We found your great public repository from Github, and several security issues detected by CryptoGo are shown in the following.
Note that the cryptographic algorithms are categorized with two aspects: security strength and security vulnerability based on NIST Special Publication 800-57 and other public publications. Moreover, CryptoGo defined certain rules derived from the APIs of Go cryptographic library and other popular cryptographic misuse detectors. The specific security issues we found are as follows:
(1) Location: jceks/pbe.go:84;
Broken rule: R-01: MD5 is an insecure algorithm;
(2) Location: starttls/psql/conn.go:1566;
Broken rule: R-01: MD5 is an insecure algorithm;
(3) Location: jceks/jceks.go:208;
Broken rule: R-01: SHA-1 is an insecure algorithm;
(4) Location: starttls/mysql/utils.go:94;
Broken rule: R-01: SHA-1 is an insecure algorithm;
(5) Location: jceks/pbe.go:100;
Broken rule: R-02: 3TDEA is acceptable but not recommended;
(6) Location: starttls/mysql/dsn.go:502;
Broken rule: R-11: SSL/TLS use insecure verification;
(7) Location: starttls/psql/ssl.go:17;
Broken rule: R-11: SSL/TLS use insecure verification;
(8) Location: starttls/starttls.go:51;
Broken rule: R-11: SSL/TLS use insecure verification;
(9) Location: lib/certs.go:244;
Broken rule: R-12: Package pkcs12 is deprecated;
We wish the above security issues could truly help you to build a secure application. If you have any concern or suggestion, please feel free to contact us, we are looking forward to your reply. Thanks.

@mcpherrinm
Copy link
Contributor

None of these are applicable here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants