Hardenize Guix website TLS/DNS

  • Open
  • quality assurance status badge
Details
6 participants
  • Dr. Arne Babenhauserheide
  • bo0od
  • Felix Lechner
  • Julien Lepiller
  • Leo Famulari
  • Marius Bakke
Owner
unassigned
Submitted by
bo0od
Severity
normal
B
(address . bug-guix@gnu.org)
ee41c6c6-c080-7248-eed4-a8889d0b0a28@riseup.net
Hi There,

Scanning Guix website gave many missing security features which modern
security needs them to be available:

* TLS and DNS:

looking at:



- DNS: DNSSEC support missing (important)
- TLS 1.0 , 1.1 considered deprecated since 2020
- Allow TLS 1.3 as it helps with ESNI whenever its ready by openssl
- Use only secure ciphers, disable old ciphers
- Force redirection of insecure connection with plain text to TLS
- HSTS/HSTS-preload support missing (important)


* Web Application (Headers):

I think its self explanatory:


ThX!
L
L
Leo Famulari wrote on 16 Apr 2021 18:15
(name . bo0od)(address . bo0od@riseup.net)(address . 47823@debbugs.gnu.org)
YHm4HTDJwTfXFI3U@jasmine.lan
On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
Toggle quote (11 lines)
> Scanning Guix website gave many missing security features which modern
> security needs them to be available:
>
> * TLS and DNS:
>
> looking at:
>
> https://www.hardenize.com/report/guix.gnu.org/1618568751
>
> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org

Thanks!

Toggle quote (2 lines)
> - DNS: DNSSEC support missing (important)

Hm, is it important? My impression is that it's an idea whose time has
passed without significant adoption.

But maybe we could enable it if the costs are not too great.

Toggle quote (2 lines)
> - TLS 1.0 , 1.1 considered deprecated since 2020

Yes, we should disable these, assuming there is not significant traffic
over them.

Toggle quote (2 lines)
> - Allow TLS 1.3 as it helps with ESNI whenever its ready by openssl

Yes, we should enable this.

Toggle quote (2 lines)
> - Use only secure ciphers, disable old ciphers

Yes.

Toggle quote (3 lines)
> - Force redirection of insecure connection with plain text to TLS
> - HSTS/HSTS-preload support missing (important)

Yes, we should enable these.
D
D
Dr. Arne Babenhauserheide wrote on 16 Apr 2021 23:36
(name . Leo Famulari)(address . leo@famulari.name)
875z0lap4g.fsf@web.de
Leo Famulari <leo@famulari.name> writes:

Toggle quote (5 lines)
>> - Force redirection of insecure connection with plain text to TLS
>> - HSTS/HSTS-preload support missing (important)
>
> Yes, we should enable these.

Be careful with HSTS, it can make the site inaccessible if you lose
access to a certificate and have to replace it. And yes, that can happen
easily, and you then won’t have a way to inform visitors why they cannot
access the site. If you enable it, make absolutely sure that the max-age
is short enough.

Best wishes,
Arne
--
Unpolitisch sein
heißt politisch sein
ohne es zu merken
-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEE801qEjXQSQPNItXAE++NRSQDw+sFAmB6A1EQHGFybmVfYmFi
QHdlYi5kZQAKCRAT741FJAPD67DjEACDQH+WNWT41mBtqozgrUuDRn+s3bG3djZU
riQX2lqhIMT5jZUXPBzwKDW1Fc1MQiTLzwEx47/6kS98g9ZeBgf1dbl3683k+gdT
B6eaXsZFy9tPsWXAQNukq98rzxPmqd+7P17CiRlZ0awjgiNcU4v21eqNm+6TdWH8
/Oe/VVvXQH9uEqK7G7EaaZdxLT7tFXFOcGHMRl9LTWrQvJ7iWXLkA/U3Zp/dQmoY
V4Tg72HqDSFxM2Nk4u96MD84DW0KR7KIdQ09Nko+foGE3oY9NTpErKQwicsEy5se
H5W454F9tH/b1vzZF4ABzRUM/KRqxCSZxJGuy5jvB2e2SefTFrTMlrnpco3Z1fD+
3AIOBR3BQmrbB5HLB2sdoSDxnQcWtB5fqB+0nUs7ou1CqD1o8D6WUu1e1zctMjHO
V73jJx9k5DBAUOb786ufvS9hkYdZO4F6ujpFJzbDeBQ+E5Pr/YVznXhzEQXY2SE6
UXHI8+FmIpIjodRKX1vQFiuXPNNAKikKo60ImlskcYAS2ZNtZrFWIHm2A9oeiyOB
ISYQ1zzTXtF1BjTQdIsHXP24GEwd2KIXNpttkVNeX4qvSFhMACM153Y211yEQwdH
nJHqxcmb6Htod0XAvmlvVuv86hV8HJUvy9tIgtOEKTfQgRq69fMwwu5iFBCJCJfr
Vt8SxBOJ54jEBAEBCAAuFiEE3Si95tmHXKvOSosd3M8NswvBBUgFAmB6A1EQHGFy
bmVfYmFiQHdlYi5kZQAKCRDczw2zC8EFSHsXA/9oQRiNnMWORzjk44AtigUTDcCI
p0To83Vxmg8CzQEVXLUeb+neAHH48MJjniIeZI5+u8ouQwSB7Dq6E9dF4MqWoXlk
7j3EmfujO0g0PD2MJHX0JsQgxzbiMnzxk/LoU/rVQ+22dRQAfndkziFDY0k/fDxG
NCffkegKV6sMTjIXBg==
=Wz2+
-----END PGP SIGNATURE-----

J
J
Julien Lepiller wrote on 17 Apr 2021 02:10
(address . 47823@debbugs.gnu.org)
4BF8EE8A-C2B4-429A-A0DF-928155A5802E@lepiller.eu
Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari <leo@famulari.name> a écrit :
Toggle quote (22 lines)
>On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
>> Scanning Guix website gave many missing security features which
>modern
>> security needs them to be available:
>>
>> * TLS and DNS:
>>
>> looking at:
>>
>> https://www.hardenize.com/report/guix.gnu.org/1618568751
>>
>> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
>
>Thanks!
>
>> - DNS: DNSSEC support missing (important)
>
>Hm, is it important? My impression is that it's an idea whose time has
>passed without significant adoption.
>
>But maybe we could enable it if the costs are not too great.

gnu.org does not have dnssec, so we'd need them to work on that first.
M
M
Marius Bakke wrote on 24 May 2021 23:36
(address . 47823@debbugs.gnu.org)
87r1hvq0ev.fsf@gnu.org
Julien Lepiller <julien@lepiller.eu> skriver:

Toggle quote (25 lines)
> Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari <leo@famulari.name> a écrit :
>>On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
>>> Scanning Guix website gave many missing security features which
>>modern
>>> security needs them to be available:
>>>
>>> * TLS and DNS:
>>>
>>> looking at:
>>>
>>> https://www.hardenize.com/report/guix.gnu.org/1618568751
>>>
>>> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
>>
>>Thanks!
>>
>>> - DNS: DNSSEC support missing (important)
>>
>>Hm, is it important? My impression is that it's an idea whose time has
>>passed without significant adoption.
>>
>>But maybe we could enable it if the costs are not too great.
>
> gnu.org does not have dnssec, so we'd need them to work on that first.

gnu.org used to have DNSSEC, but disabled it because it gave NXDOMAIN
on machines with systemd-resolved:

-----BEGIN PGP SIGNATURE-----

iIUEARYKAC0WIQRNTknu3zbaMQ2ddzTocYulkRQQdwUCYKwcaA8cbWFyaXVzQGdu
dS5vcmcACgkQ6HGLpZEUEHenCwD/YYtd/o1YGwYU8ijFa3autZLJ7AqrJmnIMkQK
eU1B3ycBAJfslNfCrF48/WIFUOfQZcIhkXoLWvm2YOB5s5qWljwA
=2vKi
-----END PGP SIGNATURE-----

B
(address . 47823@debbugs.gnu.org)
3a56f495-6316-4808-5abb-51bd1186e289@riseup.net
Then dont use systemd to do that. There many other methods/tools to
achieve having it.

Marius Bakke:
Toggle quote (32 lines)
> Julien Lepiller <julien@lepiller.eu> skriver:
>
>> Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari <leo@famulari.name> a écrit :
>>> On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
>>>> Scanning Guix website gave many missing security features which
>>> modern
>>>> security needs them to be available:
>>>>
>>>> * TLS and DNS:
>>>>
>>>> looking at:
>>>>
>>>> https://www.hardenize.com/report/guix.gnu.org/1618568751
>>>>
>>>> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
>>>
>>> Thanks!
>>>
>>>> - DNS: DNSSEC support missing (important)
>>>
>>> Hm, is it important? My impression is that it's an idea whose time has
>>> passed without significant adoption.
>>>
>>> But maybe we could enable it if the costs are not too great.
>>
>> gnu.org does not have dnssec, so we'd need them to work on that first.
>
> gnu.org used to have DNSSEC, but disabled it because it gave NXDOMAIN
> on machines with systemd-resolved:
>
> https://github.com/systemd/systemd/issues/9867
>
J
J
Julien Lepiller wrote on 25 May 2021 15:45
(address . 47823@debbugs.gnu.org)
8A7D5A59-1B7A-421E-97CF-B5F72C8B4A4B@lepiller.eu
No, resolved is on the client side. This means that they managed to set up dnssec, but some clients who use systemd (most Linux users) can't connect to gnu.org domains anymore. I don't think this is acceptable :)

Le 25 mai 2021 08:51:29 GMT-04:00, bo0od <bo0od@riseup.net> a écrit :
Toggle quote (39 lines)
>Then dont use systemd to do that. There many other methods/tools to
>achieve having it.
>
>Marius Bakke:
>> Julien Lepiller <julien@lepiller.eu> skriver:
>>
>>> Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari
><leo@famulari.name> a écrit :
>>>> On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
>>>>> Scanning Guix website gave many missing security features which
>>>> modern
>>>>> security needs them to be available:
>>>>>
>>>>> * TLS and DNS:
>>>>>
>>>>> looking at:
>>>>>
>>>>> https://www.hardenize.com/report/guix.gnu.org/1618568751
>>>>>
>>>>> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
>>>>
>>>> Thanks!
>>>>
>>>>> - DNS: DNSSEC support missing (important)
>>>>
>>>> Hm, is it important? My impression is that it's an idea whose time
>has
>>>> passed without significant adoption.
>>>>
>>>> But maybe we could enable it if the costs are not too great.
>>>
>>> gnu.org does not have dnssec, so we'd need them to work on that
>first.
>>
>> gnu.org used to have DNSSEC, but disabled it because it gave NXDOMAIN
>> on machines with systemd-resolved:
>>
>> https://github.com/systemd/systemd/issues/9867
>>
Attachment: file
B
(address . 47823@debbugs.gnu.org)
fa370899-2ab1-c0b5-42af-686a86abde9c@riseup.net
If the server configured DNSSEC in a bad way then for surely it wont
work and thats what happened with gnu.org if you read this ticket:


This ticket show clearly that the operators of gnu.org didnt fix their
bad DNSSEC configuration despite being pointed out to them.


e.g This domain use DNSSEC where is the problem connecting to it?


Julien Lepiller:
Toggle quote (43 lines)
> No, resolved is on the client side. This means that they managed to set up dnssec, but some clients who use systemd (most Linux users) can't connect to gnu.org domains anymore. I don't think this is acceptable :)
>
> Le 25 mai 2021 08:51:29 GMT-04:00, bo0od <bo0od@riseup.net> a écrit :
>> Then dont use systemd to do that. There many other methods/tools to
>> achieve having it.
>>
>> Marius Bakke:
>>> Julien Lepiller <julien@lepiller.eu> skriver:
>>>
>>>> Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari
>> <leo@famulari.name> a écrit :
>>>>> On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
>>>>>> Scanning Guix website gave many missing security features which
>>>>> modern
>>>>>> security needs them to be available:
>>>>>>
>>>>>> * TLS and DNS:
>>>>>>
>>>>>> looking at:
>>>>>>
>>>>>> https://www.hardenize.com/report/guix.gnu.org/1618568751
>>>>>>
>>>>>> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
>>>>>
>>>>> Thanks!
>>>>>
>>>>>> - DNS: DNSSEC support missing (important)
>>>>>
>>>>> Hm, is it important? My impression is that it's an idea whose time
>> has
>>>>> passed without significant adoption.
>>>>>
>>>>> But maybe we could enable it if the costs are not too great.
>>>>
>>>> gnu.org does not have dnssec, so we'd need them to work on that
>> first.
>>>
>>> gnu.org used to have DNSSEC, but disabled it because it gave NXDOMAIN
>>> on machines with systemd-resolved:
>>>
>>> https://github.com/systemd/systemd/issues/9867
>>>
>
F
F
Felix Lechner wrote on 22 May 2023 04:21
Website is fine
(address . 47823@debbugs.gnu.org)
CAFHYt56qNqrRh=UT4SYtUv=GxpsbuHaM2zvzS5UVOLVc38y4tA@mail.gmail.com
Hi,

Toggle quote (3 lines)
> Scanning Guix website gave many missing security features which modern
> security needs them to be available:

While I prefer DNSSEC on my domains, I see nothing wrong with
guix.gnu.org. Presumably, some changes have been made since the bug
was filed over two years ago.

SSL Labs now rates the domain security at an A grade. For details,
please consult the attached PDF document. Hardenize.com also mentions
no issues aside from HSTS, which I consider non-essential for the Guix
website.

If there are no objections, I will close this bug in the near future. Thanks!

Kind regards
Felix
F
F
Felix Lechner wrote on 22 May 2023 04:23
(address . 47823@debbugs.gnu.org)
CAFHYt56RRDg9KDeC+7c6KAkikXBbbPseR0i2E1cRMqUH9VUXfg@mail.gmail.com
On Sun, May 21, 2023 at 7:21?PM Felix Lechner
<felix.lechner@lease-up.com> wrote:
Toggle quote (4 lines)
>
> For details,
> please consult the attached PDF document.

Whoops, here is the missing attachment.
B
19ed175b-856c-9c0f-4cd8-cf73f6b05ce3@riseup.net
1- hmm? why A rate should be ok? A+ is the target that you should aim for.

Nevertheless, remove weak/stupid TLS ciphers in TLS 1.2 (e.g check
grapheneos.org in ssllab/hardenizer to see which ciphers are the
secure/recommended one to keep)

2- "While I prefer DNSSEC on my domains, I see nothing wrong with
guix.gnu.org"

Sorta contradictory, still (arguably) essential to have.

*-*-*-*

Extra fruit: in Whonix/Kicksecure and Danwin websites (i know) they
changed the certificate signature from SHA256withRSA (RSA 2048 bits) to
SHA384withECDSA (EC 384 bits) which is faster and more secure.


This is just easy request to be made from letsencrypt and they will
issue new one for you.

Thank You!

Felix Lechner:
Toggle quote (7 lines)
> On Sun, May 21, 2023 at 7:21?PM Felix Lechner
> <felix.lechner@lease-up.com> wrote:
>>
>> For details,
>> please consult the attached PDF document.
>
> Whoops, here is the missing attachment.
?