Rust is too complex to be compared to C. It's more like C++ plus ML.
Rust is far, far less complex than C++. ML must be a large negative term in that formula.
I feel Java is to C++ as Go is to C as Rust is to Scala.
More seriously, the same people were involved in all three so they are already inspired by each other
Since Go is backward compatible, it is in the contract somewhere, you can refer this book even though it was written a long long time ago!
My question is whether newer libraries and best practices have evolved since 2012, or if the ecosystem has remained static in this area since 2012. I'd certainly hope there's been some learning since then, unless Go really had already achieved perfection the first time around; color me skeptical.
The symmetric encryption section mentions only Blowfish (!? - not even in the stdlib) and DES (!! - not even 3DES), not AES. There is of course no mention of authentication, or AEADs. But it gets worse. The API presented is Cipher.Encrypt which is CATASTROPHIC. Cipher.Encrypt is a low-low-level API that only encrypts the first block worth of data, AND LEAVES THE REST UNENCRYPTED. It's meant to be used by CBC/CTR/GCM block mode implementations, of which there is no mention at all.
This is all it says about, you know, encrypting real data:
> The algorithms are block algorithms. That is they work on blocks of data. If your data is not aligned to the block size, then you will have to pad it with extra blanks at the end.
This is the kind of advice which guarantees me a job forever. It's way worse than ECB.
The "Data integrity" section mentions MD4 (for which I can and did create a collision on my laptop in a few hundred lines of code) and recommends the broken MD5, converting the result into 4 uint32 for... some reason? It then calls HMAC a "variation" of a hash, while it's a completely different (and more useful) tool.
The public key chapter only mentions RSA, which is completely useless/dangerous on its own, and probably not what you should use in 2017, and offers a code snippet to generate a 512 bit key. 512. The stuff that academics break for fun.
The X.509 chapter makes a CA cert instead of a leaf.
The TLS section needlessly sets config.Rand and sets config.Time TO A FIXED VALUE, which off the top of my head might only break connections after a few minutes and not their security. Maybe. (And uses a funny "[0:]" with a needless 0, which I guess is a C-ism.)
> Security is a huge area in itself, and in this chapter we have barely touched on it. However, the major concepts have been covered.
The whole section should just have been a link to https://github.com/gtank/cryptopasta not to be harmful, but as it is, it is actively toxic.
I'm not saying anything about the quality of the rest of the book, but if you write a book on X where X != cryptography, please don't try to teach the user how to use cryptography. Or how to secure a gun.
I can't stress enough how wrong this is. The majority of mediocre programmers will take anything written in a book as gospel. When their boss tells them to encrypt the customer data, there is a non negligible chance they will go straight to a cryptography section in a book they read and copy it.
There is no positive value in that section. Readers will only be hurt by it.
This constant scare tactics and putting crypto on a needless pedestal is counterproductive as it may well turn potential learners off. It may be complicated but people learn complicated things all the time. No one is born an expert.
To contrast, writing crypto as a hobbyist isn't dangerous, but using someone else's bad crypto can be dangerous indeed—because it's almost never clear that the crypto within the software you're using was written by a hobbyist.
People can learn crypto all they like. In private, sharing their learning with peers and/or mentors. But their "homework projects" should never be posted on the public Internet where they could be found by people looking for professional solutions, any more than a chemistry student's homework project of devising a work-up for making non-volatile explosives with volatile intermediaries should be posted on the public Internet where it might be treated as a safe, well-known procedure for doing so.
If I don't close the sidebar, for whatever reason, Safari blanks the page on mouseover.