this post was submitted on 11 Jun 2023
175 points (98.9% liked)
Technology
1928 readers
7 users here now
Rumors, happenings, and innovations in the technology sphere. If it's technological news, it probably belongs here.
Subcommunities on Beehaw:
This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I mean the reason people believe that is because it's a very explicit language. It knows what's in its memory at all times, and so at the lower layers it's more secure by nature.
As opposed to php, you're less likely to introduce a vulnerability by being sloppy with data sanitation - the language demands you tell it exactly the data structures you want it to put into memory. For that reason, the language is more secure - the parse json function is going to be less likely to be able to run rogue code maliciously embedded inside it than php, and if it does manage to do so, it's easier to write php to blindly open a hole in the system from inside an interpreter than it is to break out of or hijack the runtime.
Obviously that doesn't make it secure. It just means that all else being equal, rust is less vulnerable to a sloppy mistake at any given layer in the stack. Doesn't mean you can't make a logical mistake and open up a glaring security hole
And obviously you can write bulletproof php code, but every layer of the stack needs to be just as bulletproof. Including the interpreter and all your libraries - which historically were very much not bulletproof (it's definitely much more strict than it used to be, and I think I heard fb tried compilation and I'm not sure if that's become a thing, but it's generally is more secure than interpretation for similar reasons)
All that being said, humans are just dumb and sloppy. We write shit code, and we try to minimize the surface area for mistakes. Rust has a much smaller surface area than php
I'm very much aware of that, I have programmed stuff in rust as well, but claiming that it's secure and "better" because it's rust is just pr, believe me, I can write some really sihtty rust code.
I'm no evangelist for PHP, but I say use the tool that you know, when I make a new program I'm going to do it in nim, because it's the langauge that I have the most fun working with. It has mostly the same pros as rust, just with a lot nicer syntax and it's generally more flexible.
No shade on people liking rust, but this constant parroting of the same point by people who probably never even used the langauge is getting kind of old.