unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / Atom feed
* bug#47823: Hardenize Guix website TLS/DNS
@ 2021-04-16 11:00 bo0od
  2021-04-16 16:15 ` Leo Famulari
  0 siblings, 1 reply; 8+ messages in thread
From: bo0od @ 2021-04-16 11:00 UTC (permalink / raw)
  To: 47823

Hi There,

Scanning Guix website gave many missing security features which modern 
security needs them to be available:

* TLS and DNS:

looking at:

https://www.hardenize.com/report/guix.gnu.org/1618568751

https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org

- DNS: DNSSEC support missing (important)
- TLS 1.0 , 1.1 considered deprecated since 2020
- Allow TLS 1.3 as it helps with ESNI whenever its ready by openssl
- Use only secure ciphers, disable old ciphers
- Force redirection of insecure connection with plain text to TLS
- HSTS/HSTS-preload support missing (important)


* Web Application (Headers):

I think its self explanatory:

https://securityheaders.com/?q=https%3A%2F%2Fguix.gnu.org%2F&followRedirects=on

ThX!




^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#47823: Hardenize Guix website TLS/DNS
  2021-04-16 11:00 bug#47823: Hardenize Guix website TLS/DNS bo0od
@ 2021-04-16 16:15 ` Leo Famulari
  2021-04-16 21:36   ` Dr. Arne Babenhauserheide
  2021-04-17  0:10   ` Julien Lepiller
  0 siblings, 2 replies; 8+ messages in thread
From: Leo Famulari @ 2021-04-16 16:15 UTC (permalink / raw)
  To: bo0od; +Cc: 47823

On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
> Scanning Guix website gave many missing security features which modern
> security needs them to be available:
> 
> * TLS and DNS:
> 
> looking at:
> 
> https://www.hardenize.com/report/guix.gnu.org/1618568751
> 
> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org

Thanks!

> - DNS: DNSSEC support missing (important)

Hm, is it important? My impression is that it's an idea whose time has
passed without significant adoption.

But maybe we could enable it if the costs are not too great.

> - TLS 1.0 , 1.1 considered deprecated since 2020

Yes, we should disable these, assuming there is not significant traffic
over them.

> - Allow TLS 1.3 as it helps with ESNI whenever its ready by openssl

Yes, we should enable this.

> - Use only secure ciphers, disable old ciphers

Yes.

> - Force redirection of insecure connection with plain text to TLS
> - HSTS/HSTS-preload support missing (important)

Yes, we should enable these.




^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#47823: Hardenize Guix website TLS/DNS
  2021-04-16 16:15 ` Leo Famulari
@ 2021-04-16 21:36   ` Dr. Arne Babenhauserheide
  2021-04-17  0:10   ` Julien Lepiller
  1 sibling, 0 replies; 8+ messages in thread
From: Dr. Arne Babenhauserheide @ 2021-04-16 21:36 UTC (permalink / raw)
  To: Leo Famulari; +Cc: bo0od, 47823

[-- Attachment #1: Type: text/plain, Size: 603 bytes --]


Leo Famulari <leo@famulari.name> writes:

>> - Force redirection of insecure connection with plain text to TLS
>> - HSTS/HSTS-preload support missing (important)
>
> Yes, we should enable these.

Be careful with HSTS, it can make the site inaccessible if you lose
access to a certificate and have to replace it. And yes, that can happen
easily, and you then won’t have a way to inform visitors why they cannot
access the site. If you enable it, make absolutely sure that the max-age
is short enough.

Best wishes,
Arne
-- 
Unpolitisch sein
heißt politisch sein
ohne es zu merken

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 1125 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#47823: Hardenize Guix website TLS/DNS
  2021-04-16 16:15 ` Leo Famulari
  2021-04-16 21:36   ` Dr. Arne Babenhauserheide
@ 2021-04-17  0:10   ` Julien Lepiller
  2021-05-24 21:36     ` Marius Bakke
  1 sibling, 1 reply; 8+ messages in thread
From: Julien Lepiller @ 2021-04-17  0:10 UTC (permalink / raw)
  To: Leo Famulari, bo0od; +Cc: 47823

Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari <leo@famulari.name> a écrit :
>On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
>> Scanning Guix website gave many missing security features which
>modern
>> security needs them to be available:
>> 
>> * TLS and DNS:
>> 
>> looking at:
>> 
>> https://www.hardenize.com/report/guix.gnu.org/1618568751
>> 
>> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
>
>Thanks!
>
>> - DNS: DNSSEC support missing (important)
>
>Hm, is it important? My impression is that it's an idea whose time has
>passed without significant adoption.
>
>But maybe we could enable it if the costs are not too great.

gnu.org does not have dnssec, so we'd need them to work on that first.




^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#47823: Hardenize Guix website TLS/DNS
  2021-04-17  0:10   ` Julien Lepiller
@ 2021-05-24 21:36     ` Marius Bakke
  2021-05-25 12:51       ` bo0od
  0 siblings, 1 reply; 8+ messages in thread
From: Marius Bakke @ 2021-05-24 21:36 UTC (permalink / raw)
  To: Julien Lepiller, Leo Famulari, bo0od; +Cc: 47823

[-- Attachment #1: Type: text/plain, Size: 990 bytes --]

Julien Lepiller <julien@lepiller.eu> skriver:

> Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari <leo@famulari.name> a écrit :
>>On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
>>> Scanning Guix website gave many missing security features which
>>modern
>>> security needs them to be available:
>>> 
>>> * TLS and DNS:
>>> 
>>> looking at:
>>> 
>>> https://www.hardenize.com/report/guix.gnu.org/1618568751
>>> 
>>> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
>>
>>Thanks!
>>
>>> - DNS: DNSSEC support missing (important)
>>
>>Hm, is it important? My impression is that it's an idea whose time has
>>passed without significant adoption.
>>
>>But maybe we could enable it if the costs are not too great.
>
> gnu.org does not have dnssec, so we'd need them to work on that first.

gnu.org used to have DNSSEC, but disabled it because it gave NXDOMAIN
on machines with systemd-resolved:

  https://github.com/systemd/systemd/issues/9867

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#47823: Hardenize Guix website TLS/DNS
  2021-05-24 21:36     ` Marius Bakke
@ 2021-05-25 12:51       ` bo0od
  2021-05-25 13:45         ` Julien Lepiller
  0 siblings, 1 reply; 8+ messages in thread
From: bo0od @ 2021-05-25 12:51 UTC (permalink / raw)
  To: Marius Bakke, Julien Lepiller, Leo Famulari; +Cc: 47823

Then dont use systemd to do that. There many other methods/tools to 
achieve having it.

Marius Bakke:
> Julien Lepiller <julien@lepiller.eu> skriver:
> 
>> Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari <leo@famulari.name> a écrit :
>>> On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
>>>> Scanning Guix website gave many missing security features which
>>> modern
>>>> security needs them to be available:
>>>>
>>>> * TLS and DNS:
>>>>
>>>> looking at:
>>>>
>>>> https://www.hardenize.com/report/guix.gnu.org/1618568751
>>>>
>>>> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
>>>
>>> Thanks!
>>>
>>>> - DNS: DNSSEC support missing (important)
>>>
>>> Hm, is it important? My impression is that it's an idea whose time has
>>> passed without significant adoption.
>>>
>>> But maybe we could enable it if the costs are not too great.
>>
>> gnu.org does not have dnssec, so we'd need them to work on that first.
> 
> gnu.org used to have DNSSEC, but disabled it because it gave NXDOMAIN
> on machines with systemd-resolved:
> 
>    https://github.com/systemd/systemd/issues/9867
> 




^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#47823: Hardenize Guix website TLS/DNS
  2021-05-25 12:51       ` bo0od
@ 2021-05-25 13:45         ` Julien Lepiller
  2021-05-25 16:37           ` bo0od
  0 siblings, 1 reply; 8+ messages in thread
From: Julien Lepiller @ 2021-05-25 13:45 UTC (permalink / raw)
  To: bo0od, Marius Bakke, Leo Famulari; +Cc: 47823

[-- Attachment #1: Type: text/plain, Size: 1472 bytes --]

No, resolved is on the client side. This means that they managed to set up dnssec, but some clients who use systemd (most Linux users) can't connect to gnu.org domains anymore. I don't think this is acceptable :)

Le 25 mai 2021 08:51:29 GMT-04:00, bo0od <bo0od@riseup.net> a écrit :
>Then dont use systemd to do that. There many other methods/tools to 
>achieve having it.
>
>Marius Bakke:
>> Julien Lepiller <julien@lepiller.eu> skriver:
>> 
>>> Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari
><leo@famulari.name> a écrit :
>>>> On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
>>>>> Scanning Guix website gave many missing security features which
>>>> modern
>>>>> security needs them to be available:
>>>>>
>>>>> * TLS and DNS:
>>>>>
>>>>> looking at:
>>>>>
>>>>> https://www.hardenize.com/report/guix.gnu.org/1618568751
>>>>>
>>>>> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
>>>>
>>>> Thanks!
>>>>
>>>>> - DNS: DNSSEC support missing (important)
>>>>
>>>> Hm, is it important? My impression is that it's an idea whose time
>has
>>>> passed without significant adoption.
>>>>
>>>> But maybe we could enable it if the costs are not too great.
>>>
>>> gnu.org does not have dnssec, so we'd need them to work on that
>first.
>> 
>> gnu.org used to have DNSSEC, but disabled it because it gave NXDOMAIN
>> on machines with systemd-resolved:
>> 
>>    https://github.com/systemd/systemd/issues/9867
>> 

[-- Attachment #2: Type: text/html, Size: 2653 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#47823: Hardenize Guix website TLS/DNS
  2021-05-25 13:45         ` Julien Lepiller
@ 2021-05-25 16:37           ` bo0od
  0 siblings, 0 replies; 8+ messages in thread
From: bo0od @ 2021-05-25 16:37 UTC (permalink / raw)
  To: Julien Lepiller, Marius Bakke, Leo Famulari; +Cc: 47823

If the server configured DNSSEC in a bad way then for surely it wont 
work and thats what happened with gnu.org if you read this ticket:

https://github.com/systemd/systemd/issues/9867

This ticket show clearly that the operators of gnu.org didnt fix their 
bad DNSSEC configuration despite being pointed out to them.

https://danwin1210.me

e.g This domain use DNSSEC where is the problem connecting to it?


Julien Lepiller:
> No, resolved is on the client side. This means that they managed to set up dnssec, but some clients who use systemd (most Linux users) can't connect to gnu.org domains anymore. I don't think this is acceptable :)
> 
> Le 25 mai 2021 08:51:29 GMT-04:00, bo0od <bo0od@riseup.net> a écrit :
>> Then dont use systemd to do that. There many other methods/tools to
>> achieve having it.
>>
>> Marius Bakke:
>>> Julien Lepiller <julien@lepiller.eu> skriver:
>>>
>>>> Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari
>> <leo@famulari.name> a écrit :
>>>>> On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
>>>>>> Scanning Guix website gave many missing security features which
>>>>> modern
>>>>>> security needs them to be available:
>>>>>>
>>>>>> * TLS and DNS:
>>>>>>
>>>>>> looking at:
>>>>>>
>>>>>> https://www.hardenize.com/report/guix.gnu.org/1618568751
>>>>>>
>>>>>> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
>>>>>
>>>>> Thanks!
>>>>>
>>>>>> - DNS: DNSSEC support missing (important)
>>>>>
>>>>> Hm, is it important? My impression is that it's an idea whose time
>> has
>>>>> passed without significant adoption.
>>>>>
>>>>> But maybe we could enable it if the costs are not too great.
>>>>
>>>> gnu.org does not have dnssec, so we'd need them to work on that
>> first.
>>>
>>> gnu.org used to have DNSSEC, but disabled it because it gave NXDOMAIN
>>> on machines with systemd-resolved:
>>>
>>>     https://github.com/systemd/systemd/issues/9867
>>>
> 




^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2021-05-25 17:20 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-16 11:00 bug#47823: Hardenize Guix website TLS/DNS bo0od
2021-04-16 16:15 ` Leo Famulari
2021-04-16 21:36   ` Dr. Arne Babenhauserheide
2021-04-17  0:10   ` Julien Lepiller
2021-05-24 21:36     ` Marius Bakke
2021-05-25 12:51       ` bo0od
2021-05-25 13:45         ` Julien Lepiller
2021-05-25 16:37           ` bo0od

unofficial mirror of bug-guix@gnu.org 

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://yhetil.org/guix-bugs/0 guix-bugs/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 guix-bugs guix-bugs/ https://yhetil.org/guix-bugs \
		bug-guix@gnu.org
	public-inbox-index guix-bugs

Example config snippet for mirrors.
Newsgroups are available over NNTP:
	nntp://news.yhetil.org/yhetil.gnu.guix.bugs
	nntp://news.gmane.io/gmane.comp.gnu.guix.bugs


AGPL code for this site: git clone http://ou63pmih66umazou.onion/public-inbox.git