unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
* bug#47823: Hardenize Guix website TLS/DNS
@ 2021-04-16 11:00 bo0od
  2021-04-16 16:15 ` Leo Famulari
  2023-05-22  2:21 ` bug#47823: Website is fine Felix Lechner via Bug reports for GNU Guix
  0 siblings, 2 replies; 11+ messages in thread
From: bo0od @ 2021-04-16 11:00 UTC (permalink / raw)
  To: 47823

Hi There,

Scanning Guix website gave many missing security features which modern 
security needs them to be available:

* TLS and DNS:

looking at:

https://www.hardenize.com/report/guix.gnu.org/1618568751

https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org

- DNS: DNSSEC support missing (important)
- TLS 1.0 , 1.1 considered deprecated since 2020
- Allow TLS 1.3 as it helps with ESNI whenever its ready by openssl
- Use only secure ciphers, disable old ciphers
- Force redirection of insecure connection with plain text to TLS
- HSTS/HSTS-preload support missing (important)


* Web Application (Headers):

I think its self explanatory:

https://securityheaders.com/?q=https%3A%2F%2Fguix.gnu.org%2F&followRedirects=on

ThX!




^ permalink raw reply	[flat|nested] 11+ messages in thread

* bug#47823: Hardenize Guix website TLS/DNS
  2021-04-16 11:00 bug#47823: Hardenize Guix website TLS/DNS bo0od
@ 2021-04-16 16:15 ` Leo Famulari
  2021-04-16 21:36   ` Dr. Arne Babenhauserheide
  2021-04-17  0:10   ` Julien Lepiller
  2023-05-22  2:21 ` bug#47823: Website is fine Felix Lechner via Bug reports for GNU Guix
  1 sibling, 2 replies; 11+ messages in thread
From: Leo Famulari @ 2021-04-16 16:15 UTC (permalink / raw)
  To: bo0od; +Cc: 47823

On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
> Scanning Guix website gave many missing security features which modern
> security needs them to be available:
> 
> * TLS and DNS:
> 
> looking at:
> 
> https://www.hardenize.com/report/guix.gnu.org/1618568751
> 
> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org

Thanks!

> - DNS: DNSSEC support missing (important)

Hm, is it important? My impression is that it's an idea whose time has
passed without significant adoption.

But maybe we could enable it if the costs are not too great.

> - TLS 1.0 , 1.1 considered deprecated since 2020

Yes, we should disable these, assuming there is not significant traffic
over them.

> - Allow TLS 1.3 as it helps with ESNI whenever its ready by openssl

Yes, we should enable this.

> - Use only secure ciphers, disable old ciphers

Yes.

> - Force redirection of insecure connection with plain text to TLS
> - HSTS/HSTS-preload support missing (important)

Yes, we should enable these.




^ permalink raw reply	[flat|nested] 11+ messages in thread

* bug#47823: Hardenize Guix website TLS/DNS
  2021-04-16 16:15 ` Leo Famulari
@ 2021-04-16 21:36   ` Dr. Arne Babenhauserheide
  2021-04-17  0:10   ` Julien Lepiller
  1 sibling, 0 replies; 11+ messages in thread
From: Dr. Arne Babenhauserheide @ 2021-04-16 21:36 UTC (permalink / raw)
  To: Leo Famulari; +Cc: bo0od, 47823

[-- Attachment #1: Type: text/plain, Size: 603 bytes --]


Leo Famulari <leo@famulari.name> writes:

>> - Force redirection of insecure connection with plain text to TLS
>> - HSTS/HSTS-preload support missing (important)
>
> Yes, we should enable these.

Be careful with HSTS, it can make the site inaccessible if you lose
access to a certificate and have to replace it. And yes, that can happen
easily, and you then won’t have a way to inform visitors why they cannot
access the site. If you enable it, make absolutely sure that the max-age
is short enough.

Best wishes,
Arne
-- 
Unpolitisch sein
heißt politisch sein
ohne es zu merken

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 1125 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* bug#47823: Hardenize Guix website TLS/DNS
  2021-04-16 16:15 ` Leo Famulari
  2021-04-16 21:36   ` Dr. Arne Babenhauserheide
@ 2021-04-17  0:10   ` Julien Lepiller
  2021-05-24 21:36     ` Marius Bakke
  1 sibling, 1 reply; 11+ messages in thread
From: Julien Lepiller @ 2021-04-17  0:10 UTC (permalink / raw)
  To: Leo Famulari, bo0od; +Cc: 47823

Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari <leo@famulari.name> a écrit :
>On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
>> Scanning Guix website gave many missing security features which
>modern
>> security needs them to be available:
>> 
>> * TLS and DNS:
>> 
>> looking at:
>> 
>> https://www.hardenize.com/report/guix.gnu.org/1618568751
>> 
>> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
>
>Thanks!
>
>> - DNS: DNSSEC support missing (important)
>
>Hm, is it important? My impression is that it's an idea whose time has
>passed without significant adoption.
>
>But maybe we could enable it if the costs are not too great.

gnu.org does not have dnssec, so we'd need them to work on that first.




^ permalink raw reply	[flat|nested] 11+ messages in thread

* bug#47823: Hardenize Guix website TLS/DNS
  2021-04-17  0:10   ` Julien Lepiller
@ 2021-05-24 21:36     ` Marius Bakke
  2021-05-25 12:51       ` bo0od
  0 siblings, 1 reply; 11+ messages in thread
From: Marius Bakke @ 2021-05-24 21:36 UTC (permalink / raw)
  To: Julien Lepiller, Leo Famulari, bo0od; +Cc: 47823

[-- Attachment #1: Type: text/plain, Size: 990 bytes --]

Julien Lepiller <julien@lepiller.eu> skriver:

> Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari <leo@famulari.name> a écrit :
>>On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
>>> Scanning Guix website gave many missing security features which
>>modern
>>> security needs them to be available:
>>> 
>>> * TLS and DNS:
>>> 
>>> looking at:
>>> 
>>> https://www.hardenize.com/report/guix.gnu.org/1618568751
>>> 
>>> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
>>
>>Thanks!
>>
>>> - DNS: DNSSEC support missing (important)
>>
>>Hm, is it important? My impression is that it's an idea whose time has
>>passed without significant adoption.
>>
>>But maybe we could enable it if the costs are not too great.
>
> gnu.org does not have dnssec, so we'd need them to work on that first.

gnu.org used to have DNSSEC, but disabled it because it gave NXDOMAIN
on machines with systemd-resolved:

  https://github.com/systemd/systemd/issues/9867

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* bug#47823: Hardenize Guix website TLS/DNS
  2021-05-24 21:36     ` Marius Bakke
@ 2021-05-25 12:51       ` bo0od
  2021-05-25 13:45         ` Julien Lepiller
  0 siblings, 1 reply; 11+ messages in thread
From: bo0od @ 2021-05-25 12:51 UTC (permalink / raw)
  To: Marius Bakke, Julien Lepiller, Leo Famulari; +Cc: 47823

Then dont use systemd to do that. There many other methods/tools to 
achieve having it.

Marius Bakke:
> Julien Lepiller <julien@lepiller.eu> skriver:
> 
>> Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari <leo@famulari.name> a écrit :
>>> On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
>>>> Scanning Guix website gave many missing security features which
>>> modern
>>>> security needs them to be available:
>>>>
>>>> * TLS and DNS:
>>>>
>>>> looking at:
>>>>
>>>> https://www.hardenize.com/report/guix.gnu.org/1618568751
>>>>
>>>> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
>>>
>>> Thanks!
>>>
>>>> - DNS: DNSSEC support missing (important)
>>>
>>> Hm, is it important? My impression is that it's an idea whose time has
>>> passed without significant adoption.
>>>
>>> But maybe we could enable it if the costs are not too great.
>>
>> gnu.org does not have dnssec, so we'd need them to work on that first.
> 
> gnu.org used to have DNSSEC, but disabled it because it gave NXDOMAIN
> on machines with systemd-resolved:
> 
>    https://github.com/systemd/systemd/issues/9867
> 




^ permalink raw reply	[flat|nested] 11+ messages in thread

* bug#47823: Hardenize Guix website TLS/DNS
  2021-05-25 12:51       ` bo0od
@ 2021-05-25 13:45         ` Julien Lepiller
  2021-05-25 16:37           ` bo0od
  0 siblings, 1 reply; 11+ messages in thread
From: Julien Lepiller @ 2021-05-25 13:45 UTC (permalink / raw)
  To: bo0od, Marius Bakke, Leo Famulari; +Cc: 47823

[-- Attachment #1: Type: text/plain, Size: 1472 bytes --]

No, resolved is on the client side. This means that they managed to set up dnssec, but some clients who use systemd (most Linux users) can't connect to gnu.org domains anymore. I don't think this is acceptable :)

Le 25 mai 2021 08:51:29 GMT-04:00, bo0od <bo0od@riseup.net> a écrit :
>Then dont use systemd to do that. There many other methods/tools to 
>achieve having it.
>
>Marius Bakke:
>> Julien Lepiller <julien@lepiller.eu> skriver:
>> 
>>> Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari
><leo@famulari.name> a écrit :
>>>> On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
>>>>> Scanning Guix website gave many missing security features which
>>>> modern
>>>>> security needs them to be available:
>>>>>
>>>>> * TLS and DNS:
>>>>>
>>>>> looking at:
>>>>>
>>>>> https://www.hardenize.com/report/guix.gnu.org/1618568751
>>>>>
>>>>> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
>>>>
>>>> Thanks!
>>>>
>>>>> - DNS: DNSSEC support missing (important)
>>>>
>>>> Hm, is it important? My impression is that it's an idea whose time
>has
>>>> passed without significant adoption.
>>>>
>>>> But maybe we could enable it if the costs are not too great.
>>>
>>> gnu.org does not have dnssec, so we'd need them to work on that
>first.
>> 
>> gnu.org used to have DNSSEC, but disabled it because it gave NXDOMAIN
>> on machines with systemd-resolved:
>> 
>>    https://github.com/systemd/systemd/issues/9867
>> 

[-- Attachment #2: Type: text/html, Size: 2653 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* bug#47823: Hardenize Guix website TLS/DNS
  2021-05-25 13:45         ` Julien Lepiller
@ 2021-05-25 16:37           ` bo0od
  0 siblings, 0 replies; 11+ messages in thread
From: bo0od @ 2021-05-25 16:37 UTC (permalink / raw)
  To: Julien Lepiller, Marius Bakke, Leo Famulari; +Cc: 47823

If the server configured DNSSEC in a bad way then for surely it wont 
work and thats what happened with gnu.org if you read this ticket:

https://github.com/systemd/systemd/issues/9867

This ticket show clearly that the operators of gnu.org didnt fix their 
bad DNSSEC configuration despite being pointed out to them.

https://danwin1210.me

e.g This domain use DNSSEC where is the problem connecting to it?


Julien Lepiller:
> No, resolved is on the client side. This means that they managed to set up dnssec, but some clients who use systemd (most Linux users) can't connect to gnu.org domains anymore. I don't think this is acceptable :)
> 
> Le 25 mai 2021 08:51:29 GMT-04:00, bo0od <bo0od@riseup.net> a écrit :
>> Then dont use systemd to do that. There many other methods/tools to
>> achieve having it.
>>
>> Marius Bakke:
>>> Julien Lepiller <julien@lepiller.eu> skriver:
>>>
>>>> Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari
>> <leo@famulari.name> a écrit :
>>>>> On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
>>>>>> Scanning Guix website gave many missing security features which
>>>>> modern
>>>>>> security needs them to be available:
>>>>>>
>>>>>> * TLS and DNS:
>>>>>>
>>>>>> looking at:
>>>>>>
>>>>>> https://www.hardenize.com/report/guix.gnu.org/1618568751
>>>>>>
>>>>>> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
>>>>>
>>>>> Thanks!
>>>>>
>>>>>> - DNS: DNSSEC support missing (important)
>>>>>
>>>>> Hm, is it important? My impression is that it's an idea whose time
>> has
>>>>> passed without significant adoption.
>>>>>
>>>>> But maybe we could enable it if the costs are not too great.
>>>>
>>>> gnu.org does not have dnssec, so we'd need them to work on that
>> first.
>>>
>>> gnu.org used to have DNSSEC, but disabled it because it gave NXDOMAIN
>>> on machines with systemd-resolved:
>>>
>>>     https://github.com/systemd/systemd/issues/9867
>>>
> 




^ permalink raw reply	[flat|nested] 11+ messages in thread

* bug#47823: Website is fine
  2021-04-16 11:00 bug#47823: Hardenize Guix website TLS/DNS bo0od
  2021-04-16 16:15 ` Leo Famulari
@ 2023-05-22  2:21 ` Felix Lechner via Bug reports for GNU Guix
  2023-05-22  2:23   ` Felix Lechner via Bug reports for GNU Guix
  1 sibling, 1 reply; 11+ messages in thread
From: Felix Lechner via Bug reports for GNU Guix @ 2023-05-22  2:21 UTC (permalink / raw)
  To: 47823
  Cc: bo0od, Dr. Arne Babenhauserheide, Marius Bakke, Julien Lepiller,
	Leo Famulari

Hi,

> Scanning Guix website gave many missing security features which modern
> security needs them to be available:

While I prefer DNSSEC on my domains, I see nothing wrong with
guix.gnu.org. Presumably, some changes have been made since the bug
was filed over two years ago.

SSL Labs now rates the domain security at an A grade. For details,
please consult the attached PDF document. Hardenize.com also mentions
no issues aside from HSTS, which I consider non-essential for the Guix
website.

If there are no objections, I will close this bug in the near future. Thanks!

Kind regards
Felix




^ permalink raw reply	[flat|nested] 11+ messages in thread

* bug#47823: Website is fine
  2023-05-22  2:21 ` bug#47823: Website is fine Felix Lechner via Bug reports for GNU Guix
@ 2023-05-22  2:23   ` Felix Lechner via Bug reports for GNU Guix
  2023-05-31 16:37     ` bo0od
  0 siblings, 1 reply; 11+ messages in thread
From: Felix Lechner via Bug reports for GNU Guix @ 2023-05-22  2:23 UTC (permalink / raw)
  To: 47823
  Cc: bo0od, Dr. Arne Babenhauserheide, Marius Bakke, Julien Lepiller,
	Leo Famulari

[-- Attachment #1: Type: text/plain, Size: 193 bytes --]

On Sun, May 21, 2023 at 7:21 PM Felix Lechner
<felix.lechner@lease-up.com> wrote:
>
> For details,
> please consult the attached PDF document.

Whoops, here is the missing attachment.

[-- Attachment #2: SSL Server Test guix.gnu.org (Powered by Qualys SSL Labs).pdf --]
[-- Type: application/pdf, Size: 48671 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* bug#47823: Website is fine
  2023-05-22  2:23   ` Felix Lechner via Bug reports for GNU Guix
@ 2023-05-31 16:37     ` bo0od
  0 siblings, 0 replies; 11+ messages in thread
From: bo0od @ 2023-05-31 16:37 UTC (permalink / raw)
  To: Felix Lechner, 47823
  Cc: Dr. Arne Babenhauserheide, Marius Bakke, Julien Lepiller,
	Leo Famulari

1- hmm? why A rate should be ok? A+ is the target that you should aim for.

Nevertheless, remove weak/stupid TLS ciphers in TLS 1.2 (e.g check 
grapheneos.org in ssllab/hardenizer to see which ciphers are the 
secure/recommended one to keep)

2- "While I prefer DNSSEC on my domains, I see nothing wrong with
guix.gnu.org"

Sorta contradictory, still (arguably) essential to have.

*-*-*-*

Extra fruit: in Whonix/Kicksecure and Danwin websites (i know) they 
changed the certificate signature from SHA256withRSA (RSA 2048 bits) to 
SHA384withECDSA (EC 384 bits) which is faster and more secure.

e.g: https://www.hardenize.com/report/whonix.org/1685550053#www_certs

This is just easy request to be made from letsencrypt and they will 
issue new one for you.

Thank You!

Felix Lechner:
> On Sun, May 21, 2023 at 7:21 PM Felix Lechner
> <felix.lechner@lease-up.com> wrote:
>>
>> For details,
>> please consult the attached PDF document.
> 
> Whoops, here is the missing attachment.




^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2023-05-31 16:38 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-16 11:00 bug#47823: Hardenize Guix website TLS/DNS bo0od
2021-04-16 16:15 ` Leo Famulari
2021-04-16 21:36   ` Dr. Arne Babenhauserheide
2021-04-17  0:10   ` Julien Lepiller
2021-05-24 21:36     ` Marius Bakke
2021-05-25 12:51       ` bo0od
2021-05-25 13:45         ` Julien Lepiller
2021-05-25 16:37           ` bo0od
2023-05-22  2:21 ` bug#47823: Website is fine Felix Lechner via Bug reports for GNU Guix
2023-05-22  2:23   ` Felix Lechner via Bug reports for GNU Guix
2023-05-31 16:37     ` bo0od

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).