Getting SSL test A+ grade on elpa.gnu.org

Getting SSL test A+ grade on elpa.gnu.org

[김민우]

[-- Attachment #1: Type: text/plain, Size: 383 bytes --]

elpa.gnu.org is supporting insecure TLS 1.0 and TLS 1.1, and does not
support Forward Secrecy on every device, so It got a B grade on Qualys
Labs' SSL Test (
https://www.ssllabs.com/ssltest/analyze.html?d=elpa.gnu.org&s=209.51.188.89&latest).
It could have a bad effect on security and privacy for emacs users. Would
you apply only TLS 1.3 on elpa.gnu.org?

King Regards,
Minwoo Kim

[-- Attachment #2: Type: text/html, Size: 638 bytes --]

Re: Getting SSL test A+ grade on elpa.gnu.org

[Robert Pluim]

김민우 <kmwyard@gmail.com> writes:

> elpa.gnu.org is supporting insecure TLS 1.0 and TLS 1.1, and does not
> support Forward Secrecy on every device, so It got a B grade on Qualys
> Labs' SSL Test (
> https://www.ssllabs.com/ssltest/analyze.html?d=elpa.gnu.org&s=209.51.188.89&latest).
> It could have a bad effect on security and privacy for emacs users. Would
> you apply only TLS 1.3 on elpa.gnu.org?

*only* TLS 1.3 would be a bit harsh, I think.

Robert

Re: Getting SSL test A+ grade on elpa.gnu.org

[Vasilij Schneidermann]

[-- Attachment #1: Type: text/plain, Size: 741 bytes --]

> It could have a bad effect on security and privacy for emacs users. Would
> you apply only TLS 1.3 on elpa.gnu.org?

ITYM TLSv1.2 and upwards. Remember how GNU ELPA merely supporting
TLSv1.3 required Emacs versions older than 26.3 to apply a workaround to
successfully establish a connection to GNU ELPA?

Another thing to watch out for is the cipher suites. To reach a good
rating several of them need to be disabled and extensive testing is
required to ensure that we don't exclude users from fetching packages
for no apparent reason.

Something else I'm curious about, what exactly blocks us from forcing a
HTTP->HTTPS redirect? Is it waiting for Emacs 26.1 and newer to become a
widely used Emacs version or are there others?

Vasilij

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: Getting SSL test A+ grade on elpa.gnu.org

[Robert Pluim]

Vasilij Schneidermann <mail@vasilij.de> writes:

>> It could have a bad effect on security and privacy for emacs users. Would
>> you apply only TLS 1.3 on elpa.gnu.org?
>
> ITYM TLSv1.2 and upwards. Remember how GNU ELPA merely supporting
> TLSv1.3 required Emacs versions older than 26.3 to apply a workaround to
> successfully establish a connection to GNU ELPA?

Right

> Another thing to watch out for is the cipher suites. To reach a good
> rating several of them need to be disabled and extensive testing is
> required to ensure that we don't exclude users from fetching packages
> for no apparent reason.

The impression I get is that reordering the cipher suite list to put
the weak ones at the end might be enough to improve the score. That
shouldn't create any compatibility issues (and is a good idea
regardless of just 'improving our score').

> Something else I'm curious about, what exactly blocks us from forcing a
> HTTP->HTTPS redirect? Is it waiting for Emacs 26.1 and newer to become a
> widely used Emacs version or are there others?

Are you sure that all the versions of Emacs that connect to
elpa.gnu.org work correctly in the face of such a redirect? What about
versions that donʼt support https?

Robert

Re: Getting SSL test A+ grade on elpa.gnu.org

[Vasilij Schneidermann]

[-- Attachment #1: Type: text/plain, Size: 524 bytes --]

> Are you sure that all the versions of Emacs that connect to
> elpa.gnu.org work correctly in the face of such a redirect? What about
> versions that donʼt support https?

I chose 26.1 as possible cut-off point as it defaults to building with
gnutls. Analysis of the GNU ELPA logs should show the percentages of
each Emacs version used. Once the percentage of requests from Emacs
versions below 26.1 drops to 1% or so, measures to stop supporting them
could be considered, such as forcing HTTPS usage.

Vasilij

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: Getting SSL test A+ grade on elpa.gnu.org

[Stefan Monnier]

> I chose 26.1 as possible cut-off point as it defaults to building with
> gnutls. Analysis of the GNU ELPA logs should show the percentages of
> each Emacs version used. Once the percentage of requests from Emacs
> versions below 26.1 drops to 1% or so, measures to stop supporting them
> could be considered, such as forcing HTTPS usage.

Emacsen built with libgnutls should already automatically use https, so
a redirect wouldn't be useful for them, AFAICT.  IOW the redirect would
only be useful for people browsing elpa.gnu.org rather than for
connection from package.el.


        Stefan

Re: Getting SSL test A+ grade on elpa.gnu.org

[김민우]

[-- Attachment #1: Type: text/plain, Size: 1123 bytes --]

>
> > elpa.gnu.org is supporting insecure TLS 1.0 and TLS 1.1, and does not
> > support Forward Secrecy on every device, so It got a B grade on Qualys
> > Labs' SSL Test (
> >
> https://www.ssllabs.com/ssltest/analyze.html?d=elpa.gnu.org&s=209.51.188.89&latest
> ).
> > It could have a bad effect on security and privacy for emacs users. Would
>

> you apply only TLS 1.3 on elpa.gnu.org?
>
*only* TLS 1.3 would be a bit harsh, I think.
>
If so,  At least we should deprecate TLS 1.1 and TLS 1.0 on elpa.gnu.org

2020년 11월 26일 (목) 오전 2:04, Robert Pluim <rpluim@gmail.com>님이 작성:

> 김민우 <kmwyard@gmail.com> writes:
>
> > elpa.gnu.org is supporting insecure TLS 1.0 and TLS 1.1, and does not
> > support Forward Secrecy on every device, so It got a B grade on Qualys
> > Labs' SSL Test (
> >
> https://www.ssllabs.com/ssltest/analyze.html?d=elpa.gnu.org&s=209.51.188.89&latest
> ).
> > It could have a bad effect on security and privacy for emacs users. Would
> > you apply only TLS 1.3 on elpa.gnu.org?
>
> *only* TLS 1.3 would be a bit harsh, I think.
>
> Robert
>

[-- Attachment #2: Type: text/html, Size: 2657 bytes --]