TechEcho

There's been a lot of anger around Twitter on this. I've also seen a lot of people cherry-picking a non-native speaker's words out of context too. Specifically, "Ruby is not a project for security."<p>That doesn't mean that this bug is not important, or that the Ruby team's decision as it currently stands is a good one. But it's a complex issue.

"Ruby is not a project for security."<p>That's from ruby-core. That's a frightening attitude for a project to take.

Non-SSL expert here and first time poster (not trolling). Python also uses a wrapper for OpenSSL and has similar issues with default settings. Is this problem specific to Ruby or also Python apps as well?

The SSL2 ClientHello thing is, IIRC, also a compat hack; Firefox used it (at least until recently) when it connected through proxies.

Anyone know of a simple recipe to set up secure defaults?

So does PHP, though this is fixed in 5.5 IIRC.

"Ruby is not a project for security."<p>That's from ruby-core. That's a frightening attitude for a project to take.

The SSL2 ClientHello thing is, IIRC, also a compat hack; Firefox used it (at least until recently) when it connected through proxies.

Anyone know of a simple recipe to set up secure defaults?

So does PHP, though this is fixed in 5.5 IIRC.

Bug #9424: ruby 1.9 & 2.x has insecure SSL/TLS client defaults

6 comments

Bug #9424: ruby 1.9 & 2.x has insecure SSL/TLS client defaults

6 comments