> FIPS-compliant bindings (OpenSSL)

Using FIPS mode can be insecure because the latest FIPS-compliant version can be years older than the latest non-FIPS one with all the updates.

The only time it makes sense to use the FIPS version is where there is a legal or contractual requirement that trumps security considerations.

▲

fuzzzerd 6 hours ago | parent [-]

While I think this is good advice, the fact that it's true feels backward to me. "We have a legal or contractual obligation to be less secure than we otherwise would be." Just seems silly.

	▲	tristor 5 hours ago \| parent [-]
		Welcome to the reality of most of the "information security" business, which is mostly just compliance by checkbox. A significant proportion of encrypted Internet traffic that is transiting government agencies or major enterprises gets decrypted in flight for inspection, literally inserting a black-box with privileged MITM capabilities into otherwise secure protocols, purely for the purpose of checking a compliance box, and that's not even the worst sin. There's no insecurity like compliant cybersecurity :)