From: Leo Famulari <leo@famulari.name>
To: bo0od <bo0od@riseup.net>
Cc: 47823@debbugs.gnu.org
Subject: bug#47823: Hardenize Guix website TLS/DNS
Date: Fri, 16 Apr 2021 12:15:25 -0400 [thread overview]
Message-ID: <YHm4HTDJwTfXFI3U@jasmine.lan> (raw)
In-Reply-To: <ee41c6c6-c080-7248-eed4-a8889d0b0a28@riseup.net>
On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
> Scanning Guix website gave many missing security features which modern
> security needs them to be available:
>
> * TLS and DNS:
>
> looking at:
>
> https://www.hardenize.com/report/guix.gnu.org/1618568751
>
> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
Thanks!
> - DNS: DNSSEC support missing (important)
Hm, is it important? My impression is that it's an idea whose time has
passed without significant adoption.
But maybe we could enable it if the costs are not too great.
> - TLS 1.0 , 1.1 considered deprecated since 2020
Yes, we should disable these, assuming there is not significant traffic
over them.
> - Allow TLS 1.3 as it helps with ESNI whenever its ready by openssl
Yes, we should enable this.
> - Use only secure ciphers, disable old ciphers
Yes.
> - Force redirection of insecure connection with plain text to TLS
> - HSTS/HSTS-preload support missing (important)
Yes, we should enable these.
next prev parent reply other threads:[~2021-04-16 16:16 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-16 11:00 bug#47823: Hardenize Guix website TLS/DNS bo0od
2021-04-16 16:15 ` Leo Famulari [this message]
2021-04-16 21:36 ` Dr. Arne Babenhauserheide
2021-04-17 0:10 ` Julien Lepiller
2021-05-24 21:36 ` Marius Bakke
2021-05-25 12:51 ` bo0od
2021-05-25 13:45 ` Julien Lepiller
2021-05-25 16:37 ` bo0od
2023-05-22 2:21 ` bug#47823: Website is fine Felix Lechner via Bug reports for GNU Guix
2023-05-22 2:23 ` Felix Lechner via Bug reports for GNU Guix
2023-05-31 16:37 ` bo0od
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YHm4HTDJwTfXFI3U@jasmine.lan \
--to=leo@famulari.name \
--cc=47823@debbugs.gnu.org \
--cc=bo0od@riseup.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).