Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules

[Reid Sutherland <reid () thirddimension net>]

Moritz Bechler wrote:
> Hi,
>
> > A default is not a vulnerability.  There are reasons why defaults 
> > cannot be changed in libraries once they are stable.  This is also why 
> > documentation exists.
> >
> > Revoke these CVEs, it's a stain on the process.
>
>
> while one may criticize that CVEs have been assigned both for the 
> insecure default and (some of the) insecure usages, at least one of 
> these is a legitimate case, in terms of CVEs likely the latter. And when 
> it comes to defaming projects, at least in my book, choosing, keeping 
> and defending bad defaults speaks to much more than a CVE being assigned.


Performing outside queries is not a reasonable default in terms of 
security.  It's up to the developer if they wish to open up the user to 
that risk.  Libraries cannot shift defaults on a whim, this is why they 
have documentation.