frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

WolfGuard: WireGuard with FIPS 140-3 cryptography

https://github.com/wolfssl/wolfguard
43•789c789c789c•2h ago

Comments

AaronFriel•1h ago
The conventional wisdom in cryptography is that if you don't know you need FIPS, if you don't have paper and a dollar figure telling you how much you need it, you don't need or want FIPS.
elevation•1h ago
Wireguard exemplifies the superiority of a qualified independent developer over the fractal layers of ossified cruft that you get from industry efforts and compliance STIGS.

So it feels wrong to see wireguard adapted for compliance purposes. If compliance orgs want superior technology, let their standards bodies approve/adopt wireguard without modifying it.

LtWorf•1h ago
but wolfssl is in the business of selling FIPS compliance so…
alfanick•1h ago
And they do it fast, thankfully Compliant Static Code Analyser catches issues like https://github.com/wolfSSL/wolfGuard/commit/fa21e06f26de201b...
johnisgood•30m ago
Holy shit. Those are rookie mistakes, that could end up being SEVERE.
jmclnx•47m ago
Yes, but be aware, openvpn is much better if you live in a Country like China, Russia and a few others. That is due to a known design issue with wireguard.

For most people, wireguard is fine.

Edit: I should have said "choice" instead of "issue", but Firefox 140 is failing on this site so I could not correct the txt. I was able to edit this after reverting back to Firefox 128.

LunaSea•44m ago
Could you expand on the design flaw in question?
jmclnx•42m ago
It is not a design flaw, but a design choice.

>OpenVPN does not store any of your private data, including IP addresses, on VPN servers, which is ideal.

https://www.pcmag.com/comparisons/openvpn-vs-wireguard-which...

eptcyka•40m ago
OpenVPN looks like a regular tls stream - difficult to distinguish between that and a HTTPS connection. WireGuard looks like WireGuard. But you can wrap WireGuard in whatever headers you might want to obfuscate it and the perf will still be better.
tptacek•28m ago
It's trivial to make WireGuard look like a regular TLS stream. It's probably not worth a 15 year regression in security characteristics just to get that attribute; just write the proxy for it and be done with it. It was a 1 day project for us (we learned the hard way that a double digit percentage of our users simply couldn't speak UDP and had to fix that).
dmbche•45m ago
> fractal layers of ossified cruft

Someone got a thesaurus in their coffee today! (Not a jab)

pphysch•1h ago
Can't you also get FIPS 140-3 WireGuard by compiling wireguard-go with the new native FIPS support in Go?
inahga•1h ago
The ciphers used by WireGuard are not FIPS 140-3 certified. So you have to also change the ciphers, as is done in this project.
loeg•51m ago
E.g., ChaPoly AEAD -> AES-GCM, Blake2s -> SHA2/3, that kind of thing.
PunchyHamster•1h ago
So a step backward in security ?
kstrauser•1h ago
In fairness, modern versions of FIPS are much less awful. AFAICT it's now possible to be FIPS compliant and meet reasonable crypto expectations, which was not always the case before.
loeg•49m ago
It's fine. None of the FIPS algorithms are known to be broken, either. The only risk here is implementation bugs doing the conversion and any maintenance burden incurred due to diverging from upstream wireguard.
usui•1h ago
I know software developers complain about forced compliance due to the security theatre aspects, but I would like to charitably ask from someone who has technical understanding of FIPS-compliant cryptography. Are there any actual security advantages on technical grounds for making WireGuard FIPS-compliant? Assume the goal is not to appease pencil pushers. I really want to know if this kind of effort has technical gains.
alfanick•1h ago
I presume it's a product strategy to provide a box of "compliant" libraries/services, so other companies can quickly tick and sign a checkbox saying "we use compliant VPN", because someone else is going to look whether the checkbox is ticked and signed, because someone else is going to...
NewJazz•57m ago
You failed to answer the question. Why did you reply?
loeg•57m ago
There is no security advantages or technical grounds for using FIPS algorithms in a WireGuard clone instead of Chacha / Blake2. It's purely a compliance move. ChaPoly, Blake2, etc, are not known to be broken and we have every reason to believe they are strong.
briandw•50m ago
My limited understanding is that issues like being vulnerable to side channel attacks are very difficult to detect. So you have to have shown that the entire development process is safe. From the code to the compiler to the hardware to the microcode, it all needs to be checked. That said it does seem like compliance is a bigger priority than safety.
tptacek•27m ago
No, there are not.
ongy•22m ago
Crypto wise, fips is outdated but not horrible.

Actual fips compliant (certified) gives you confidence in some basic competence of the solution.

Just fips compatible (i.e. picking algos that could be fips compliant) is generally neutral to negative.

I'm not 100% up to date, so that might have changed, but AEAD used to be easier if you don't follow fips than fips compatible. Still possible, but more foot guns due to regulatory lag in techniques.

Overall, IMO the other top-level comment of "only fips if you have pencil pusher benefit" applies.

FCC has banned the import of all new foreign-made routers here's what you can do

https://blog.adafruit.com/2026/03/24/fcc-just-banned-the-import-of-all-new-foreign-made-routers-h...
41•ptorrone•21m ago•17 comments

LiteLLM Python package compromised by supply-chain attack

https://github.com/BerriAI/litellm/issues/24512
670•theanonymousone•5h ago•262 comments

Run a 1T parameter model on a 32gb Mac by streaming tensors from NVMe

https://github.com/t8/hypura
100•tatef•2h ago•47 comments

Hypothesis, Antithesis, Synthesis

https://antithesis.com/blog/2026/hegel/
92•alpaylan•2h ago•47 comments

No Terms. No Conditions

https://notermsnoconditions.com
126•bayneri•2h ago•39 comments

ARM AGI CPU: Specs and SKUs

https://sbcwiki.com/docs/soc-manufacturers/arm/arm-silicon/
9•HeyMeco•11m ago•0 comments

Lago (YC S21) Is Hiring

https://getlago.notion.site/Lago-Product-Engineer-AI-Agents-for-Growth-327ef63110d280cdb030ccf429...
1•AnhTho_FR•23m ago

Show HN: Email.md – Markdown to responsive, email-safe HTML

https://www.emailmd.dev/
43•dancablam•1h ago•12 comments

Tony Hoare and His Imprint on Computer Science

https://cacm.acm.org/blogcacm/tony-hoare-and-his-imprint-on-computer-science/
31•matt_d•3d ago•3 comments

Show HN: Gemini can now natively embed video, so I built sub-second video search

https://github.com/ssrajadh/sentrysearch
76•sohamrj•3h ago•29 comments

Testing the Swift C compatibility with Raylib (+WASM)

https://carette.xyz/posts/swift_c_compatibility_with_raylib/
35•LucidLynx•2d ago•11 comments

Nanobrew: The fastest macOS package manager compatible with brew

https://nanobrew.trilok.ai/
108•syrusakbary•6h ago•66 comments

Microsoft's "Fix" for Windows 11: Flowers After the Beating

https://www.sambent.com/microsofts-plan-to-fix-windows-11-is-gaslighting/
785•h0ek•8h ago•574 comments

Data Manipulation in Clojure Compared to R and Python

https://codewithkira.com/2024-07-18-tablecloth-dplyr-pandas-polars.html
11•tosh•2d ago•0 comments

Arm AGI CPU

https://newsroom.arm.com/blog/introducing-arm-agi-cpu
6•RealityVoid•40m ago•3 comments

LaGuardia pilots raised safety alarms months before deadly runway crash

https://www.theguardian.com/us-news/2026/mar/24/laguardia-airplane-pilots-safety-concerns-crash
201•m_fayer•2h ago•165 comments

Debunking Zswap and Zram Myths

https://chrisdown.name/2026/03/24/zswap-vs-zram-when-to-use-what.html
134•javierhonduco•7h ago•31 comments

Ripgrep is faster than grep, ag, git grep, ucg, pt, sift (2016)

https://burntsushi.net/ripgrep/
268•jxmorris12•11h ago•108 comments

WolfGuard: WireGuard with FIPS 140-3 cryptography

https://github.com/wolfssl/wolfguard
43•789c789c789c•2h ago•24 comments

curl > /dev/sda: How I made a Linux distro that runs wget | dd

https://astrid.tech/2026/03/24/0/curl-to-dev-sda/
121•astralbijection•8h ago•50 comments

Secure Domain Name System (DNS) Deployment 2026 Guide [pdf]

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81r3.pdf
72•XzetaU8•5h ago•7 comments

So where are all the AI apps?

https://www.answer.ai/posts/2026-03-12-so-where-are-all-the-ai-apps.html
263•tanelpoder•3h ago•255 comments

Opera: Rewind The Web to 1996 (Opera at 30)

https://www.web-rewind.com
163•thushanfernando•10h ago•100 comments

The AI Industry Is Lying to You

https://www.wheresyoured.at/the-ai-industry-is-lying-to-you/
19•spking•40m ago•1 comments

io_uring, libaio performance across Linux kernels and an unexpected IOMMU trap

https://blog.ydb.tech/how-io-uring-overtook-libaio-performance-across-linux-kernels-and-an-unexpe...
37•tanelpoder•4h ago•15 comments

Apple Business

https://www.apple.com/newsroom/2026/03/introducing-apple-business-a-new-all-in-one-platform-for-b...
143•soheilpro•2h ago•131 comments

Box of Secrets: Discreetly modding an apartment intercom to work with Apple Home

https://www.jackhogan.me/blog/box-of-secrets/
244•jackhogan11•1d ago•95 comments

Log File Viewer for the Terminal

https://lnav.org/
271•wiradikusuma•12h ago•42 comments

The Jellies That Evolved a Different Way to Keep Time

https://www.quantamagazine.org/the-jellies-that-evolved-a-different-way-to-keep-time-20260320/
22•jyunwai•4d ago•5 comments

LLM Neuroanatomy II: Modern LLM Hacking and Hints of a Universal Language?

https://dnhkng.github.io/posts/rys-ii/
83•realberkeaslan•7h ago•28 comments