Template:Did you know nominations/Rustls
Appearance
- The following is an archived discussion of the DYK nomination of the article below. Please do not modify this page. Subsequent comments should be made on the appropriate discussion page (such as this nomination's talk page, the article's talk page or Wikipedia talk:Did you know), unless there is consensus to re-open the discussion at this page. No further edits should be made to this page.
The result was: withdrawn by nominator, closed by Narutolovehinata5 talk 00:56, 10 September 2024 (UTC)
DYK toolbox |
---|
Rustls
- ... that programmers are trying to improve internet security by writing network protocol libraries like Rustls in a memory safe programming language?
- Source: Rustls Looks to Provide a Memory-Safe Replacement for OpenSSL, The New Stack, April 23, 2021
Created by Dreamyshade (talk).
Number of QPQs required: 1. Nominator has 6 past nominations.
Dreamyshade (talk) 21:48, 22 August 2024 (UTC).
- Not a good hook. Makes no sense to the average person with no CS education. Many technical articles are not suited for DYK. (t · c) buidhe 07:01, 25 August 2024 (UTC)
- Pinging two editors regarding possible hooks here given they are DYK regulars who specialize in tech articles. Narutolovehinata5 (talk · contributions) 01:14, 30 August 2024 (UTC)
- Fixed pings: @Maury Markowitz and DigitalIceAge: Narutolovehinata5 (talk · contributions) 01:14, 30 August 2024 (UTC)
- The hook is a little confusing to me because it's making it sound like Rustls wasn't written in Rust to begin with, i.e. it's a pre-existing library that's just now being adapted to Rust. I think if the hook were shorter, it would be more interesting. Something like "... that Rustls aims to improve internet security by replacing memory-unsafe software libraries?" DigitalIceAge (talk) 02:49, 30 August 2024 (UTC)
- @DigitalIceAge: That might still be too specialist if the reader doesn't know what "memory-unsafe" means in this context. I asked for feedback over at WP:DISCORD, and Hilst suggested that the
Like other TLS implementations, a computer user may use Rustls without being aware of it, as an underlying part of an application or website
part has promise. Maybe that could also work? Narutolovehinata5 (talk · contributions) 03:09, 30 August 2024 (UTC)- I suppose. I don't think the concept of "memory safety" is particularly arcane or technical, but we could simplify the hook even further: "... that Rustls aims to improve internet security by replacing software libraries that are vulnerable to security bugs?" DigitalIceAge (talk) 03:23, 30 August 2024 (UTC)
- Thanks Narutolovehinata5 for pitching in! I don't have a citation for "a computer user may use Rustls without being aware of it", so I don't think we can use it as a hook. (I included it in the article even without a citation because I believe it's Wikipedia:Common knowledge about low-level software libraries like this one, at least among people in the software field.) I believe that it's possible for non-specialists to find this topic somewhat interesting, as long as we do a decent job of writing about it, which is why I tried to include bits of context in the article itself. I like DigitalIceAge's simplified hook. Dreamyshade (talk) 03:44, 30 August 2024 (UTC)
- I still don't think the original hook is too specialist. But if I had to pick, I'd go with DigitalIceAge's as well. Maury Markowitz (talk) 14:38, 30 August 2024 (UTC)
- @Buidhe: Does DigitalIceAge's proposal satisfy your concerns? If it does, this should be ready for a full review. Narutolovehinata5 (talk · contributions) 07:45, 31 August 2024 (UTC)
- I still don't think the original hook is too specialist. But if I had to pick, I'd go with DigitalIceAge's as well. Maury Markowitz (talk) 14:38, 30 August 2024 (UTC)
- @DigitalIceAge: That might still be too specialist if the reader doesn't know what "memory-unsafe" means in this context. I asked for feedback over at WP:DISCORD, and Hilst suggested that the
- The hook is a little confusing to me because it's making it sound like Rustls wasn't written in Rust to begin with, i.e. it's a pre-existing library that's just now being adapted to Rust. I think if the hook were shorter, it would be more interesting. Something like "... that Rustls aims to improve internet security by replacing memory-unsafe software libraries?" DigitalIceAge (talk) 02:49, 30 August 2024 (UTC)
- Fixed pings: @Maury Markowitz and DigitalIceAge: Narutolovehinata5 (talk · contributions) 01:14, 30 August 2024 (UTC)
- Not surprising or interesting that they come out with better software that is more secure and less prone to bugs. (t · c) buidhe 12:14, 31 August 2024 (UTC)
- @Dreamyshade, DigitalIceAge, and Maury Markowitz: Seems it's back to the drawing board then. Narutolovehinata5 (talk · contributions) 00:00, 1 September 2024 (UTC)
- "... that Rustls aims to replace OpenSSL, an internet security library which is widely used by servers but is memory-unsafe?"
- "... that Rustls aims to replace OpenSSL, which suffered from Heartbleed?"
- DigitalIceAge (talk) 00:57, 1 September 2024 (UTC)
- @Narutolovehinata5: I say the current hook is good as-is and do not need new ones. Maury Markowitz (talk)
- I think the first one is workable, tho I wonder if we can get a cited percentage number for the websites/servers that use OpenSSL (.i.e. more than 90% servers on the internet or 450 million websites on the internet)? I think the shock value is the fact the magnitude of OpenSSL adoption (and consequently the mammoth task that ISRG/Rustls faces in changing that). Sohom (talk) 23:33, 2 September 2024 (UTC)
- It seems tough to find a strong source for how many servers use OpenSSL. The original Heartbleed site estimated it by looking at Netcraft's Web Server Survey and adding together the Apache and Nginx sites, and Netcraft still publishes that survey, but these days you can use Apache or Nginx with Rustls instead of OpenSSL. This Akamai post from 2022 said "Approximately 50% of monitored environments had at least one machine with at least one process that depends on a vulnerable version of OpenSSL", but that's not a total count of OpenSSL in use, and that's a bit old anyway.
- I also don't know if it makes sense to describe OpenSSL as "memory unsafe". It's had a lot of memory safety problems, but the current version may or may not have memory safety problems.
- An interesting thing to me is that several US and non-US government agencies have advocated for "Secure by Design" software engineering, including using memory safe languages. So that's a potential direction for a hook, but I've only seen that referenced in connection to Rustls in press releases like the ones cited in the article, this one from ISRG, and from SIDN. Dreamyshade (talk) 01:51, 3 September 2024 (UTC)
- I think using press-releases as a basis for a hook is kinda shaky. This might need workshopping but how about something like:
- ... that Rustls aims to replace OpenSSL, a security library that has been used to sign certificates for over 223 million websites?
- (The 223 million figure comes from a research paper published by Lets Encrypt in 2019 (which uses OpenSSL) [1]) Sohom (talk) 05:07, 3 September 2024 (UTC)
- We'd need to do a bit of synthesis to make that claim, since that article doesn't say that Let's Encrypt uses OpenSSL. And Let's Encrypt is just one certificate authority, although ISRG says it's the world's largest certificate authority. All of that is related to an interesting bit of information in the article, that ISRG runs Let's Encrypt and plans to replace OpenSSL with Rustls this year — but my only citations are press releases from ISRG, which aren't great citations for a hook, and it's also not a great hook because of WP:CRYSTALBALL. Dreamyshade (talk) 18:08, 3 September 2024 (UTC)
- I think the first one is workable, tho I wonder if we can get a cited percentage number for the websites/servers that use OpenSSL (.i.e. more than 90% servers on the internet or 450 million websites on the internet)? I think the shock value is the fact the magnitude of OpenSSL adoption (and consequently the mammoth task that ISRG/Rustls faces in changing that). Sohom (talk) 23:33, 2 September 2024 (UTC)
- @Dreamyshade, DigitalIceAge, and Maury Markowitz: Seems it's back to the drawing board then. Narutolovehinata5 (talk · contributions) 00:00, 1 September 2024 (UTC)
- I'm willing to withdraw this nomination, out of respect for the efforts of DYK volunteers. I think it's a neat little article, but it's tough to figure out a hook for it that can get consensus approval. Thanks all! Dreamyshade (talk) 23:59, 9 September 2024 (UTC)