Re: [go-nuts] Client Cipher Order Preference not being honored with golang 1.17+

I guess I need to clarify what I was trying to say here - golang 1.17+ claims that TLS_RSA_WITH_AES_128_GCM_SHA256 is more secure than TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 CBC-SHA256 doesn't have any countermeasures against Lucky13, but all of the SSL tools: testssl.sh, SSLLabs, etc. claim the

Re: [go-nuts] Client Cipher Order Preference not being honored with golang 1.17+

Yes, I'm aware it's intentional, but it causes a lower security grade on SSLLabs . On Thu, Aug 25, 2022 at 1:20 PM 'Sean Liao' via golang-nuts < golang-nuts@googlegroups.com> wrote: > This is intentional, see https://go.dev/issue/45430 > > - sean > > On Thu, Aug 25, 2022, 19

Re: [go-nuts] Client Cipher Order Preference not being honored with golang 1.17+

This is intentional, see https://go.dev/issue/45430 - sean On Thu, Aug 25, 2022, 19:07 'Diana Tuck' via golang-nuts < golang-nuts@googlegroups.com> wrote: > Since upgrading to 1.17 in which the cipher order is determined by the > golang lib, clients that previously negotiated with more secure ci

[go-nuts] Re: Some confusion about escape analysis

Actually, looking more closely at your benchmark numbers, the trick does not work in your case. Which makes sense to me, I don't see why it would work. On Wednesday, August 24, 2022 at 2:59:34 AM UTC-4 mozart...@gmail.com wrote: > I was try using net.Buffers for writev. But I meet a unexptecte

[go-nuts] Re: Some confusion about escape analysis

That trick was copied from here: https://cs.opensource.google/go/go/+/refs/tags/go1.19:src/strings/builder.go;l=26 See https://github.com/golang/go/issues/23382 and https://github.com/golang/go/issues/7921 I don't know why the trick works in your case. It appears to be safe. On Wednesday, Aug

[go-nuts] Re: Some confusion about escape analysis

That trick was copied from here: https://cs.opensource.google/go/go/+/refs/tags/go1.19:src/strings/builder.go;l=26 See https://github.com/golang/go/issues/23382 and https://github.com/golang/go/issues/23382 and https://github.com/golang/go/issues/7921 I don't know why the trick works in your

[go-nuts] Client Cipher Order Preference not being honored with golang 1.17+

Since upgrading to 1.17 in which the cipher order is determined by the golang lib, clients that previously negotiated with more secure ciphers are now using less secure ciphers. We see that Windows 7 and 8 clients can no longer negotiate using xc027 and are instead using 0x9c, which is lower i

Re: [go-nuts] Does the Mutex.TryLock has the race issue?

The type does not need to be Int32 because the Compare-and-Swap operation works on int32. It is fine as is. The compare-and-swap operation provided by the hardware guarantees that the compare-and-swap operation is atomic, which means no other read operation by any other goroutine will see the val

[go-nuts] Does the Mutex.TryLock has the race issue?

Mutex.TryLock is implemented as the below. The second line is fetching value of the state but it does not use atomic. Is it is a race issue? Should type of the state be changed to atomic.Int32 just like Waitgroup? func (m *Mutex) TryLock() bool { old := m.state if old&(mutexLocked|mutexS

Re: [go-nuts] Is Go a security malware risk?

On Thu, Aug 25, 2022 at 7:54 AM Amnon wrote: > Apparently Go is an "unconventional language". So Languages are divided > into "conventional" and "unconventional" > languages. Any language split like this often fails to capture the essence of different language designs. We should use precision i

Re: [go-nuts] Is Go a security malware risk?

On Thursday, August 25, 2022 at 4:58:18 PM UTC+8 Gopher-Insane wrote: > Thank you kortschak, yes that was all I was doing. Seeking advice from > people who have better knowledge than me in this area. Again, very grateful > for everyone's help. > > On Thursday, 25 August 2022 at 09:54:13 UTC+1 k

Re: [go-nuts] Is Go a security malware risk?

Thank you kortschak, yes that was all I was doing. Seeking advice from people who have better knowledge than me in this area. Again, very grateful for everyone's help. On Thursday, 25 August 2022 at 09:54:13 UTC+1 kortschak wrote: > On Thu, 2022-08-25 at 01:47 -0700, Holloway Kean Ho wrote: >

Re: [go-nuts] Is Go a security malware risk?

On Thu, 2022-08-25 at 01:47 -0700, Holloway Kean Ho wrote: > What exactly you're trying to achieve by taking a very elaborated, > crystal-clear, good-willed security-related article way out of its > context with your thread title here and agitate some of the Go > maintainers here? I don't think th

Re: [go-nuts] Is Go a security malware risk?

Hi, I be very blunt here: 1. What exactly you're trying to achieve by taking a very elaborated, crystal-clear, good-willed security-related article way out of its context with your thread title here and agitate some of the Go maintainers here? Why I'm asking: - AFAIK, behavior