* bug#47823: Hardenize Guix website TLS/DNS
@ 2021-04-16 11:00 bo0od
2021-04-16 16:15 ` Leo Famulari
2023-05-22 2:21 ` bug#47823: Website is fine Felix Lechner via Bug reports for GNU Guix
0 siblings, 2 replies; 11+ messages in thread
From: bo0od @ 2021-04-16 11:00 UTC (permalink / raw)
To: 47823
Hi There,
Scanning Guix website gave many missing security features which modern
security needs them to be available:
* TLS and DNS:
looking at:
https://www.hardenize.com/report/guix.gnu.org/1618568751
https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
- DNS: DNSSEC support missing (important)
- TLS 1.0 , 1.1 considered deprecated since 2020
- Allow TLS 1.3 as it helps with ESNI whenever its ready by openssl
- Use only secure ciphers, disable old ciphers
- Force redirection of insecure connection with plain text to TLS
- HSTS/HSTS-preload support missing (important)
* Web Application (Headers):
I think its self explanatory:
https://securityheaders.com/?q=https%3A%2F%2Fguix.gnu.org%2F&followRedirects=on
ThX!
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#47823: Hardenize Guix website TLS/DNS
2021-04-16 11:00 bug#47823: Hardenize Guix website TLS/DNS bo0od
@ 2021-04-16 16:15 ` Leo Famulari
2021-04-16 21:36 ` Dr. Arne Babenhauserheide
2021-04-17 0:10 ` Julien Lepiller
2023-05-22 2:21 ` bug#47823: Website is fine Felix Lechner via Bug reports for GNU Guix
1 sibling, 2 replies; 11+ messages in thread
From: Leo Famulari @ 2021-04-16 16:15 UTC (permalink / raw)
To: bo0od; +Cc: 47823
On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
> Scanning Guix website gave many missing security features which modern
> security needs them to be available:
>
> * TLS and DNS:
>
> looking at:
>
> https://www.hardenize.com/report/guix.gnu.org/1618568751
>
> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
Thanks!
> - DNS: DNSSEC support missing (important)
Hm, is it important? My impression is that it's an idea whose time has
passed without significant adoption.
But maybe we could enable it if the costs are not too great.
> - TLS 1.0 , 1.1 considered deprecated since 2020
Yes, we should disable these, assuming there is not significant traffic
over them.
> - Allow TLS 1.3 as it helps with ESNI whenever its ready by openssl
Yes, we should enable this.
> - Use only secure ciphers, disable old ciphers
Yes.
> - Force redirection of insecure connection with plain text to TLS
> - HSTS/HSTS-preload support missing (important)
Yes, we should enable these.
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#47823: Hardenize Guix website TLS/DNS
2021-04-16 16:15 ` Leo Famulari
@ 2021-04-16 21:36 ` Dr. Arne Babenhauserheide
2021-04-17 0:10 ` Julien Lepiller
1 sibling, 0 replies; 11+ messages in thread
From: Dr. Arne Babenhauserheide @ 2021-04-16 21:36 UTC (permalink / raw)
To: Leo Famulari; +Cc: bo0od, 47823
[-- Attachment #1: Type: text/plain, Size: 603 bytes --]
Leo Famulari <leo@famulari.name> writes:
>> - Force redirection of insecure connection with plain text to TLS
>> - HSTS/HSTS-preload support missing (important)
>
> Yes, we should enable these.
Be careful with HSTS, it can make the site inaccessible if you lose
access to a certificate and have to replace it. And yes, that can happen
easily, and you then won’t have a way to inform visitors why they cannot
access the site. If you enable it, make absolutely sure that the max-age
is short enough.
Best wishes,
Arne
--
Unpolitisch sein
heißt politisch sein
ohne es zu merken
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 1125 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#47823: Hardenize Guix website TLS/DNS
2021-04-16 16:15 ` Leo Famulari
2021-04-16 21:36 ` Dr. Arne Babenhauserheide
@ 2021-04-17 0:10 ` Julien Lepiller
2021-05-24 21:36 ` Marius Bakke
1 sibling, 1 reply; 11+ messages in thread
From: Julien Lepiller @ 2021-04-17 0:10 UTC (permalink / raw)
To: Leo Famulari, bo0od; +Cc: 47823
Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari <leo@famulari.name> a écrit :
>On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
>> Scanning Guix website gave many missing security features which
>modern
>> security needs them to be available:
>>
>> * TLS and DNS:
>>
>> looking at:
>>
>> https://www.hardenize.com/report/guix.gnu.org/1618568751
>>
>> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
>
>Thanks!
>
>> - DNS: DNSSEC support missing (important)
>
>Hm, is it important? My impression is that it's an idea whose time has
>passed without significant adoption.
>
>But maybe we could enable it if the costs are not too great.
gnu.org does not have dnssec, so we'd need them to work on that first.
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#47823: Hardenize Guix website TLS/DNS
2021-04-17 0:10 ` Julien Lepiller
@ 2021-05-24 21:36 ` Marius Bakke
2021-05-25 12:51 ` bo0od
0 siblings, 1 reply; 11+ messages in thread
From: Marius Bakke @ 2021-05-24 21:36 UTC (permalink / raw)
To: Julien Lepiller, Leo Famulari, bo0od; +Cc: 47823
[-- Attachment #1: Type: text/plain, Size: 990 bytes --]
Julien Lepiller <julien@lepiller.eu> skriver:
> Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari <leo@famulari.name> a écrit :
>>On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
>>> Scanning Guix website gave many missing security features which
>>modern
>>> security needs them to be available:
>>>
>>> * TLS and DNS:
>>>
>>> looking at:
>>>
>>> https://www.hardenize.com/report/guix.gnu.org/1618568751
>>>
>>> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
>>
>>Thanks!
>>
>>> - DNS: DNSSEC support missing (important)
>>
>>Hm, is it important? My impression is that it's an idea whose time has
>>passed without significant adoption.
>>
>>But maybe we could enable it if the costs are not too great.
>
> gnu.org does not have dnssec, so we'd need them to work on that first.
gnu.org used to have DNSSEC, but disabled it because it gave NXDOMAIN
on machines with systemd-resolved:
https://github.com/systemd/systemd/issues/9867
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#47823: Hardenize Guix website TLS/DNS
2021-05-24 21:36 ` Marius Bakke
@ 2021-05-25 12:51 ` bo0od
2021-05-25 13:45 ` Julien Lepiller
0 siblings, 1 reply; 11+ messages in thread
From: bo0od @ 2021-05-25 12:51 UTC (permalink / raw)
To: Marius Bakke, Julien Lepiller, Leo Famulari; +Cc: 47823
Then dont use systemd to do that. There many other methods/tools to
achieve having it.
Marius Bakke:
> Julien Lepiller <julien@lepiller.eu> skriver:
>
>> Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari <leo@famulari.name> a écrit :
>>> On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
>>>> Scanning Guix website gave many missing security features which
>>> modern
>>>> security needs them to be available:
>>>>
>>>> * TLS and DNS:
>>>>
>>>> looking at:
>>>>
>>>> https://www.hardenize.com/report/guix.gnu.org/1618568751
>>>>
>>>> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
>>>
>>> Thanks!
>>>
>>>> - DNS: DNSSEC support missing (important)
>>>
>>> Hm, is it important? My impression is that it's an idea whose time has
>>> passed without significant adoption.
>>>
>>> But maybe we could enable it if the costs are not too great.
>>
>> gnu.org does not have dnssec, so we'd need them to work on that first.
>
> gnu.org used to have DNSSEC, but disabled it because it gave NXDOMAIN
> on machines with systemd-resolved:
>
> https://github.com/systemd/systemd/issues/9867
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#47823: Hardenize Guix website TLS/DNS
2021-05-25 12:51 ` bo0od
@ 2021-05-25 13:45 ` Julien Lepiller
2021-05-25 16:37 ` bo0od
0 siblings, 1 reply; 11+ messages in thread
From: Julien Lepiller @ 2021-05-25 13:45 UTC (permalink / raw)
To: bo0od, Marius Bakke, Leo Famulari; +Cc: 47823
[-- Attachment #1: Type: text/plain, Size: 1472 bytes --]
No, resolved is on the client side. This means that they managed to set up dnssec, but some clients who use systemd (most Linux users) can't connect to gnu.org domains anymore. I don't think this is acceptable :)
Le 25 mai 2021 08:51:29 GMT-04:00, bo0od <bo0od@riseup.net> a écrit :
>Then dont use systemd to do that. There many other methods/tools to
>achieve having it.
>
>Marius Bakke:
>> Julien Lepiller <julien@lepiller.eu> skriver:
>>
>>> Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari
><leo@famulari.name> a écrit :
>>>> On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
>>>>> Scanning Guix website gave many missing security features which
>>>> modern
>>>>> security needs them to be available:
>>>>>
>>>>> * TLS and DNS:
>>>>>
>>>>> looking at:
>>>>>
>>>>> https://www.hardenize.com/report/guix.gnu.org/1618568751
>>>>>
>>>>> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
>>>>
>>>> Thanks!
>>>>
>>>>> - DNS: DNSSEC support missing (important)
>>>>
>>>> Hm, is it important? My impression is that it's an idea whose time
>has
>>>> passed without significant adoption.
>>>>
>>>> But maybe we could enable it if the costs are not too great.
>>>
>>> gnu.org does not have dnssec, so we'd need them to work on that
>first.
>>
>> gnu.org used to have DNSSEC, but disabled it because it gave NXDOMAIN
>> on machines with systemd-resolved:
>>
>> https://github.com/systemd/systemd/issues/9867
>>
[-- Attachment #2: Type: text/html, Size: 2653 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#47823: Hardenize Guix website TLS/DNS
2021-05-25 13:45 ` Julien Lepiller
@ 2021-05-25 16:37 ` bo0od
0 siblings, 0 replies; 11+ messages in thread
From: bo0od @ 2021-05-25 16:37 UTC (permalink / raw)
To: Julien Lepiller, Marius Bakke, Leo Famulari; +Cc: 47823
If the server configured DNSSEC in a bad way then for surely it wont
work and thats what happened with gnu.org if you read this ticket:
https://github.com/systemd/systemd/issues/9867
This ticket show clearly that the operators of gnu.org didnt fix their
bad DNSSEC configuration despite being pointed out to them.
https://danwin1210.me
e.g This domain use DNSSEC where is the problem connecting to it?
Julien Lepiller:
> No, resolved is on the client side. This means that they managed to set up dnssec, but some clients who use systemd (most Linux users) can't connect to gnu.org domains anymore. I don't think this is acceptable :)
>
> Le 25 mai 2021 08:51:29 GMT-04:00, bo0od <bo0od@riseup.net> a écrit :
>> Then dont use systemd to do that. There many other methods/tools to
>> achieve having it.
>>
>> Marius Bakke:
>>> Julien Lepiller <julien@lepiller.eu> skriver:
>>>
>>>> Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari
>> <leo@famulari.name> a écrit :
>>>>> On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
>>>>>> Scanning Guix website gave many missing security features which
>>>>> modern
>>>>>> security needs them to be available:
>>>>>>
>>>>>> * TLS and DNS:
>>>>>>
>>>>>> looking at:
>>>>>>
>>>>>> https://www.hardenize.com/report/guix.gnu.org/1618568751
>>>>>>
>>>>>> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
>>>>>
>>>>> Thanks!
>>>>>
>>>>>> - DNS: DNSSEC support missing (important)
>>>>>
>>>>> Hm, is it important? My impression is that it's an idea whose time
>> has
>>>>> passed without significant adoption.
>>>>>
>>>>> But maybe we could enable it if the costs are not too great.
>>>>
>>>> gnu.org does not have dnssec, so we'd need them to work on that
>> first.
>>>
>>> gnu.org used to have DNSSEC, but disabled it because it gave NXDOMAIN
>>> on machines with systemd-resolved:
>>>
>>> https://github.com/systemd/systemd/issues/9867
>>>
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#47823: Website is fine
2021-04-16 11:00 bug#47823: Hardenize Guix website TLS/DNS bo0od
2021-04-16 16:15 ` Leo Famulari
@ 2023-05-22 2:21 ` Felix Lechner via Bug reports for GNU Guix
2023-05-22 2:23 ` Felix Lechner via Bug reports for GNU Guix
1 sibling, 1 reply; 11+ messages in thread
From: Felix Lechner via Bug reports for GNU Guix @ 2023-05-22 2:21 UTC (permalink / raw)
To: 47823
Cc: bo0od, Dr. Arne Babenhauserheide, Marius Bakke, Julien Lepiller,
Leo Famulari
Hi,
> Scanning Guix website gave many missing security features which modern
> security needs them to be available:
While I prefer DNSSEC on my domains, I see nothing wrong with
guix.gnu.org. Presumably, some changes have been made since the bug
was filed over two years ago.
SSL Labs now rates the domain security at an A grade. For details,
please consult the attached PDF document. Hardenize.com also mentions
no issues aside from HSTS, which I consider non-essential for the Guix
website.
If there are no objections, I will close this bug in the near future. Thanks!
Kind regards
Felix
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#47823: Website is fine
2023-05-22 2:21 ` bug#47823: Website is fine Felix Lechner via Bug reports for GNU Guix
@ 2023-05-22 2:23 ` Felix Lechner via Bug reports for GNU Guix
2023-05-31 16:37 ` bo0od
0 siblings, 1 reply; 11+ messages in thread
From: Felix Lechner via Bug reports for GNU Guix @ 2023-05-22 2:23 UTC (permalink / raw)
To: 47823
Cc: bo0od, Dr. Arne Babenhauserheide, Marius Bakke, Julien Lepiller,
Leo Famulari
[-- Attachment #1: Type: text/plain, Size: 193 bytes --]
On Sun, May 21, 2023 at 7:21 PM Felix Lechner
<felix.lechner@lease-up.com> wrote:
>
> For details,
> please consult the attached PDF document.
Whoops, here is the missing attachment.
[-- Attachment #2: SSL Server Test guix.gnu.org (Powered by Qualys SSL Labs).pdf --]
[-- Type: application/pdf, Size: 48671 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#47823: Website is fine
2023-05-22 2:23 ` Felix Lechner via Bug reports for GNU Guix
@ 2023-05-31 16:37 ` bo0od
0 siblings, 0 replies; 11+ messages in thread
From: bo0od @ 2023-05-31 16:37 UTC (permalink / raw)
To: Felix Lechner, 47823
Cc: Dr. Arne Babenhauserheide, Marius Bakke, Julien Lepiller,
Leo Famulari
1- hmm? why A rate should be ok? A+ is the target that you should aim for.
Nevertheless, remove weak/stupid TLS ciphers in TLS 1.2 (e.g check
grapheneos.org in ssllab/hardenizer to see which ciphers are the
secure/recommended one to keep)
2- "While I prefer DNSSEC on my domains, I see nothing wrong with
guix.gnu.org"
Sorta contradictory, still (arguably) essential to have.
*-*-*-*
Extra fruit: in Whonix/Kicksecure and Danwin websites (i know) they
changed the certificate signature from SHA256withRSA (RSA 2048 bits) to
SHA384withECDSA (EC 384 bits) which is faster and more secure.
e.g: https://www.hardenize.com/report/whonix.org/1685550053#www_certs
This is just easy request to be made from letsencrypt and they will
issue new one for you.
Thank You!
Felix Lechner:
> On Sun, May 21, 2023 at 7:21 PM Felix Lechner
> <felix.lechner@lease-up.com> wrote:
>>
>> For details,
>> please consult the attached PDF document.
>
> Whoops, here is the missing attachment.
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2023-05-31 16:38 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-04-16 11:00 bug#47823: Hardenize Guix website TLS/DNS bo0od
2021-04-16 16:15 ` Leo Famulari
2021-04-16 21:36 ` Dr. Arne Babenhauserheide
2021-04-17 0:10 ` Julien Lepiller
2021-05-24 21:36 ` Marius Bakke
2021-05-25 12:51 ` bo0od
2021-05-25 13:45 ` Julien Lepiller
2021-05-25 16:37 ` bo0od
2023-05-22 2:21 ` bug#47823: Website is fine Felix Lechner via Bug reports for GNU Guix
2023-05-22 2:23 ` Felix Lechner via Bug reports for GNU Guix
2023-05-31 16:37 ` bo0od
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.