[bactrian]

It's not related to crypto/tls or net/http. This has to do with sending mail via SMTP. It's totally worth fixing but probably had close to zero real world effect.

Go has an incredible security track record. Out of the box, net/http and crypto/TLS are safe to deploy in production. No reverse proxy shield required.

[yumyumyumyumyum]

It's pretty good, but I disagree about net/http being ready out of the box.

https://github.com/golang/go/issues/16100

Your choice is to support streaming requests and suffer from a trivial slow client DOS, out of the box, or force a timeout and kill streaming requests that exceed that timeout. For this and other reasons I still recommend fronting golang net/http with something more capable on this front.

[tuxxy]

I've been out of the loop on Golang security for a bit, but last I recalled there might have been some timing vulnerabilities in the crypto library.

Is this not the case anymore?

[PopsiclePete]

Bunch of stuff was discovered and fixed relatively promptly: https://golang.org/doc/devel/release.html

There was a pretty thorough audit that discovered some of those issues. I'm not aware of anything outstanding - they're pretty good about patching things promptly.