FIPS dependencies and prebuilt binaries(www.docker.com)
22 pointsby LaurentGoderre5 hours ago6 comments
  • direwolf205 hours ago
    FIPS compliance should be used when the customer demands FIPS compliance, and at no other time. It does not make your software more secure. The federal government has many reasons for its Information Processing Standards, and actual security isn't high up the list.
  • JasonADrury5 hours ago
    > FIPS compliance is a great idea that makes the entire software supply chain safer

    Yes, gotta implement that Dual_EC_DRBG compatibility.

    FIPS compliance is not a great idea, the benefits are questionable and possibly nonexistent. It's also significantly worse advice than simple "implement decent modern crypto", you can do all kinds of really bizarre stuff and still be FIPS compliant.

    • pixl973 hours ago
      >FIPS compliance is not a great idea, the benefits are questionable and possibly nonexistent.

      I counter about the benefits of FIPS. If you don't do it, you don't get paid by the government for whatever contract you have. Many people find getting paid to be beneficial.

      Now, it's not the vast majority of applications, but I'm sure there are a significant number of developers on HN that are working on applications that need to meet FedRamp requirements and posts like this point out potential pitfalls on what needs enabled.

      Not much different when dealing with stuff like STIGs. A large number of them are highly questionable and may only apply to very specific applications, yet you see barely trained button pushers saying you need to follow them. If you're aware of them when writing your application it will save a bunch of implementation headaches when it ends up in the field.

    • tptacek2 hours ago
      I don't like FIPS and think people should avoid FIPS-compliance projects but FIPS doesn't require you to implement Dual EC.
  • voidfunc3 hours ago
    FIPS is what happens when idiots get promoted and start reading too much LinkedIn CISO slop.

    If a customer demands FIPS compliance charge them out the ass for it. Its not inherently secure, it requires in some cases massive re-engineering of product and toolchains, and mostly seems to be an ask from clueless deep pocketed Fortune 500 companies looking to minimize liability claims after a breach by being able to point at their FIPS compliance.

    • Aloha2 hours ago
      FIPS is ancient and dates from the era when encryption was unusual and rare. That is why some of it seems so arcane. FIPS 140 didnt even allow software encryption until 140-3, 140-2 required a hardware secure enclave.
      • PeterWhittaker38 minutes ago
        Definitely false, at least historically. The original FIPS only required HW at levels 3 and 4, "required" in the sense that levels 1 and 2 were quite doable in software (level was/is no authentication to the CM, letting it be protected by the host; level 2 was/is a form of basic authentication, e.g., encrypting private keys under a key derived from a password).

        I was part of a team that had multiple level 1 and 2 certificates for software-only CMs in the 1990s, both 140 and the second edition, 140-1.

    • ecb_penguin2 hours ago
      [dead]
  • ocdtrekkie3 hours ago
    The current FIPS-approved OpenSSL module was released in 2023. FIPS compliance does not even allow security patches to address issues.

    In my opinion, FIPS compliance is bad security practice and I suspect if a government agency called you on not meeting it, the justification of patching to address known vulnerabilities should hold up to scrutiny.

  • 4 hours ago
    undefined
  • 5 hours ago
    undefined