Rocket: Stabilizing TLS Support

Created on 5 Aug 2020  路  4Comments  路  Source: SergioBenitez/Rocket

rusttls recently recieved a formal security audit. The outcome of the audit seems pretty encouraging. Specifically:

Cure53 was unable to uncover any application-breaking security flaws. After spending thirty days on the scope in late May and early June of 2020, the team of auditors considered the general code quality to be exceptional and can attest to a solid impression left consistently by all scope items

At this point, would it make sense to remove some of the scary warnings regarding TLS support?

picture klnusbaum

Most helpful comment

how about rewording this

Warning: Rocket's built-in TLS is not considered ready for production use. It is intended for development use _only_.

to something like

Attention: Even though Rocket uses an excellent built-in TLS library, that alone may not be enough to fully protect an application in production.

What do other web frameworks that have well vetted TLS libraries say in their documentation? I've looked at the documentation for Rails, Gorilla, and Django. None of them have any warnings like this. I think adding this extra information is actually distracting and takes away from the documentation about TLS specifically. IMHO if we want to talk more about security in general, we should instead create a dedicated page called "Securing Rocket Applications".

My vote is to wholesale remove the current warning.

picture klnusbaum on 6 Aug 2020
👍7

All 4 comments

even if rocket supports a high quality TLS library, it's still lacking protections against many other attack vectors, that a well established proxy server offers, as well as more in depth protection by "simply" loading a WAF like ModSecurity.

igalic picture igalic on 6 Aug 2020

Agree, we should first target to remove the TLS warning.

How to protect from other attack is another big topic but different than this issue.

howard0su picture howard0su on 6 Aug 2020

how about rewording this

Warning: Rocket's built-in TLS is not considered ready for production use. It is intended for development use only.

to something like

Attention: Even though Rocket uses an excellent built-in TLS library, that alone may not be enough to fully protect an application in production.

igalic picture igalic on 6 Aug 2020

how about rewording this

Warning: Rocket's built-in TLS is not considered ready for production use. It is intended for development use _only_.

to something like

Attention: Even though Rocket uses an excellent built-in TLS library, that alone may not be enough to fully protect an application in production.

What do other web frameworks that have well vetted TLS libraries say in their documentation? I've looked at the documentation for Rails, Gorilla, and Django. None of them have any warnings like this. I think adding this extra information is actually distracting and takes away from the documentation about TLS specifically. IMHO if we want to talk more about security in general, we should instead create a dedicated page called "Securing Rocket Applications".

My vote is to wholesale remove the current warning.

klnusbaum picture klnusbaum on 6 Aug 2020
👍7
Was this page helpful?
0 / 5 - 0 ratings

Related issues

shssoichiro picture shssoichiro  路  4Comments
GoRustafari picture GoRustafari  路  3Comments
ndarilek picture ndarilek  路  3Comments
Qqwy picture Qqwy  路  3Comments
paulvt picture paulvt  路  4Comments