From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id UOqJMU64eWCxDgEAgWs5BA (envelope-from ) for ; Fri, 16 Apr 2021 18:16:14 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id sAhHLU64eWBwDwAAbx9fmQ (envelope-from ) for ; Fri, 16 Apr 2021 16:16:14 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 088FC1B1E4 for ; Fri, 16 Apr 2021 18:16:13 +0200 (CEST) Received: from localhost ([::1]:53004 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lXR8e-0003xw-5y for larch@yhetil.org; Fri, 16 Apr 2021 12:16:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:42472) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lXR8U-0003wH-9m for bug-guix@gnu.org; Fri, 16 Apr 2021 12:16:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:58216) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lXR8U-0003hH-1l for bug-guix@gnu.org; Fri, 16 Apr 2021 12:16:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lXR8T-0000Jr-SL for bug-guix@gnu.org; Fri, 16 Apr 2021 12:16:01 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47823: Hardenize Guix website TLS/DNS Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 16 Apr 2021 16:16:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47823 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: bo0od Received: via spool by 47823-submit@debbugs.gnu.org id=B47823.161858973432011 (code B ref 47823); Fri, 16 Apr 2021 16:16:01 +0000 Received: (at 47823) by debbugs.gnu.org; 16 Apr 2021 16:15:34 +0000 Received: from localhost ([127.0.0.1]:41529 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lXR82-0008Jt-4I for submit@debbugs.gnu.org; Fri, 16 Apr 2021 12:15:34 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:37967) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lXR80-0008Cr-HP for 47823@debbugs.gnu.org; Fri, 16 Apr 2021 12:15:33 -0400 Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 49B3B5C008E; Fri, 16 Apr 2021 12:15:27 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute7.internal (MEProxy); Fri, 16 Apr 2021 12:15:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=Q6S0JEYOTWKWiMGqYW6EfpWD 9wwfmvk3JpO3+fRPAN8=; b=UuchNBsV+4cFX4Ioi5WEbqF62tnDDjMMF0kDskuL NkFAqFMjB6ELysGy0AyaR38pNOBUs0NCEYlfaVlRyyX1FlsNrHCBrcscaEnZOk/O eJ6T40mqqz+oCBAadbM521TCBV2G6CkKKhBJ1UydgJRjb3nM5iCXtbA0zuqRBd1R 1CQ= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=Q6S0JE YOTWKWiMGqYW6EfpWD9wwfmvk3JpO3+fRPAN8=; b=PvytflxkiG0qXx8TXtEIkB E8Pt7NCexCNXzVUm1eYh5OoNxvjcqYM6ah4kbW8A2ZKcfHbQ1vvz++MzGBHMWkz2 80lIp3cQZOA7kCD634ZO4aKw3rgsp6TO8nCEFaYXgdiXm6GNJ4RI4OJNv64Hd0Lt Or2LRW3p0CvKFuEA4lIPUBzYhCTqmG5HR5FEaD26fkQ9MTi+OYxsxAU3UZtLDz3D b0rwu7BLdh4EqC/nWOwL5Wow7A5Knx1F1/+sFQyxeMqF2ZU5pOV0Oa7ggWiLqVV1 kK9wy6YMP4jQFXrPOK8pPjpaVbfNhLDUXBgfwnWr1G9mWXHY+LvCJoj7ITJysU1g == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudelhedguddtudcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfhfgggtuggjsehttd ertddttddvnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhl rghrihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpeeghfelieetgeeugedtiedugfdute efgefgkedukeegueegjeelgefhiedvtedvieenucffohhmrghinhephhgrrhguvghnihii vgdrtghomhdpshhslhhlrggsshdrtghomhenucfkphepuddttddruddurdduieelrdduud eknecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplhgv ohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id C2C2B108006A; Fri, 16 Apr 2021 12:15:26 -0400 (EDT) Date: Fri, 16 Apr 2021 12:15:25 -0400 From: Leo Famulari Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 47823@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1618589774; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=Q6S0JEYOTWKWiMGqYW6EfpWD9wwfmvk3JpO3+fRPAN8=; b=Nt9MZmGBe972mRlPIGGzxjGW2kyqyLcHj3XU0zmAgxcJac/IF7o8oox/XRb725lO6jnbz0 xpRCncZzOXWIfitFSs/cKArrmgr/2u8Z4znc8972H27OrVIcM+zxfO+XqD+USJ6EvHv6y1 k7HkgiymBol2DvSfAC5XXbzF7ab+8ZZQd5VILxPSGEgiHqX4ValhrmIweHAbwVRxd3LCSa ttr1RJ5+zP78gM7EErzfn8JH649DjH5bcZdfLsihczfFRjh4gQYE9XgV7SoE37fYUsTsij ZJqKwBbWvXGumCbh25uUnmohslYJXhhO4ihBKJD23lTzkYnTJ/DIEpE1PIBwsw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1618589774; a=rsa-sha256; cv=none; b=HDrBlc8zejv+sWS+SZR8itbDmgx9oBPFaSFujzRLm7vjWFx6KR8KXSb9EfnTRI8sc8lZdf A0BRhtKhXxV1b+pxl7fxsZsoyn2xmKjhJHo68EEKL9VrKpsfVhr4n8Veq07BhX250BFSsN kJ6OH9HAE4Ql+bPBULsqzyCLK3/Ti0Ct6x6Ef8AywM2ZwjsWhaHKhuXWhoBpIJjSiV75/y rqEa3vTD01esP9wJ4inWXNT8X84/S0WAwVXe64smpHP8aw2yEVKpUCSyyqvRaslsw/7JVT Gu29B0rpv8zAeTxasjWIDQ7YEk9NYCYO2p2N747WjuRbxsa2YfUTz+AArhJDsA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=UuchNBsV; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=Pvytflxk; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -1.44 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=UuchNBsV; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=Pvytflxk; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 088FC1B1E4 X-Spam-Score: -1.44 X-Migadu-Scanner: scn0.migadu.com X-TUID: I6gpruT/1d6A On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote: > Scanning Guix website gave many missing security features which modern > security needs them to be available: > > * TLS and DNS: > > looking at: > > https://www.hardenize.com/report/guix.gnu.org/1618568751 > > https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org Thanks! > - DNS: DNSSEC support missing (important) Hm, is it important? My impression is that it's an idea whose time has passed without significant adoption. But maybe we could enable it if the costs are not too great. > - TLS 1.0 , 1.1 considered deprecated since 2020 Yes, we should disable these, assuming there is not significant traffic over them. > - Allow TLS 1.3 as it helps with ESNI whenever its ready by openssl Yes, we should enable this. > - Use only secure ciphers, disable old ciphers Yes. > - Force redirection of insecure connection with plain text to TLS > - HSTS/HSTS-preload support missing (important) Yes, we should enable these.