Hardenize Guix website TLS/DNS

OpenSubmitted by bo0od.
Details
4 participants
  • Dr. Arne Babenhauserheide
  • bo0od
  • Julien Lepiller
  • Leo Famulari
Owner
unassigned
Severity
normal
B
(address . bug-guix@gnu.org)
ee41c6c6-c080-7248-eed4-a8889d0b0a28@riseup.net
Hi There,
Scanning Guix website gave many missing security features which modern security needs them to be available:
* TLS and DNS:
looking at:
https://www.hardenize.com/report/guix.gnu.org/1618568751
https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
- DNS: DNSSEC support missing (important)- TLS 1.0 , 1.1 considered deprecated since 2020- Allow TLS 1.3 as it helps with ESNI whenever its ready by openssl- Use only secure ciphers, disable old ciphers- Force redirection of insecure connection with plain text to TLS- HSTS/HSTS-preload support missing (important)

* Web Application (Headers):
I think its self explanatory:
https://securityheaders.com/?q=https%3A%2F%2Fguix.gnu.org%2F&followRedirects=on
ThX!
L
L
Leo Famulari wrote on 16 Apr 18:15 +0200
(name . bo0od)(address . bo0od@riseup.net)(address . 47823@debbugs.gnu.org)
YHm4HTDJwTfXFI3U@jasmine.lan
On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
Toggle quote (11 lines)> Scanning Guix website gave many missing security features which modern> security needs them to be available:> > * TLS and DNS:> > looking at:> > https://www.hardenize.com/report/guix.gnu.org/1618568751> > https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
Thanks!
Toggle quote (2 lines)> - DNS: DNSSEC support missing (important)
Hm, is it important? My impression is that it's an idea whose time haspassed without significant adoption.
But maybe we could enable it if the costs are not too great.
Toggle quote (2 lines)> - TLS 1.0 , 1.1 considered deprecated since 2020
Yes, we should disable these, assuming there is not significant trafficover them.
Toggle quote (2 lines)> - Allow TLS 1.3 as it helps with ESNI whenever its ready by openssl
Yes, we should enable this.
Toggle quote (2 lines)> - Use only secure ciphers, disable old ciphers
Yes.
Toggle quote (3 lines)> - Force redirection of insecure connection with plain text to TLS> - HSTS/HSTS-preload support missing (important)
Yes, we should enable these.
D
D
Dr. Arne Babenhauserheide wrote on 16 Apr 23:36 +0200
(name . Leo Famulari)(address . leo@famulari.name)
875z0lap4g.fsf@web.de
Leo Famulari <leo@famulari.name> writes:
Toggle quote (5 lines)>> - Force redirection of insecure connection with plain text to TLS>> - HSTS/HSTS-preload support missing (important)>> Yes, we should enable these.
Be careful with HSTS, it can make the site inaccessible if you loseaccess to a certificate and have to replace it. And yes, that can happeneasily, and you then won’t have a way to inform visitors why they cannotaccess the site. If you enable it, make absolutely sure that the max-ageis short enough.
Best wishes,Arne-- Unpolitisch seinheißt politisch seinohne es zu merken
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEE801qEjXQSQPNItXAE++NRSQDw+sFAmB6A1EQHGFybmVfYmFiQHdlYi5kZQAKCRAT741FJAPD67DjEACDQH+WNWT41mBtqozgrUuDRn+s3bG3djZUriQX2lqhIMT5jZUXPBzwKDW1Fc1MQiTLzwEx47/6kS98g9ZeBgf1dbl3683k+gdTB6eaXsZFy9tPsWXAQNukq98rzxPmqd+7P17CiRlZ0awjgiNcU4v21eqNm+6TdWH8/Oe/VVvXQH9uEqK7G7EaaZdxLT7tFXFOcGHMRl9LTWrQvJ7iWXLkA/U3Zp/dQmoYV4Tg72HqDSFxM2Nk4u96MD84DW0KR7KIdQ09Nko+foGE3oY9NTpErKQwicsEy5seH5W454F9tH/b1vzZF4ABzRUM/KRqxCSZxJGuy5jvB2e2SefTFrTMlrnpco3Z1fD+3AIOBR3BQmrbB5HLB2sdoSDxnQcWtB5fqB+0nUs7ou1CqD1o8D6WUu1e1zctMjHOV73jJx9k5DBAUOb786ufvS9hkYdZO4F6ujpFJzbDeBQ+E5Pr/YVznXhzEQXY2SE6UXHI8+FmIpIjodRKX1vQFiuXPNNAKikKo60ImlskcYAS2ZNtZrFWIHm2A9oeiyOBISYQ1zzTXtF1BjTQdIsHXP24GEwd2KIXNpttkVNeX4qvSFhMACM153Y211yEQwdHnJHqxcmb6Htod0XAvmlvVuv86hV8HJUvy9tIgtOEKTfQgRq69fMwwu5iFBCJCJfrVt8SxBOJ54jEBAEBCAAuFiEE3Si95tmHXKvOSosd3M8NswvBBUgFAmB6A1EQHGFybmVfYmFiQHdlYi5kZQAKCRDczw2zC8EFSHsXA/9oQRiNnMWORzjk44AtigUTDcCIp0To83Vxmg8CzQEVXLUeb+neAHH48MJjniIeZI5+u8ouQwSB7Dq6E9dF4MqWoXlk7j3EmfujO0g0PD2MJHX0JsQgxzbiMnzxk/LoU/rVQ+22dRQAfndkziFDY0k/fDxGNCffkegKV6sMTjIXBg===Wz2+-----END PGP SIGNATURE-----
J
J
Julien Lepiller wrote on 17 Apr 02:10 +0200
(address . 47823@debbugs.gnu.org)
4BF8EE8A-C2B4-429A-A0DF-928155A5802E@lepiller.eu
Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari <leo@famulari.name> a écrit :
Toggle quote (22 lines)>On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:>> Scanning Guix website gave many missing security features which>modern>> security needs them to be available:>> >> * TLS and DNS:>> >> looking at:>> >> https://www.hardenize.com/report/guix.gnu.org/1618568751>> >> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org>>Thanks!>>> - DNS: DNSSEC support missing (important)>>Hm, is it important? My impression is that it's an idea whose time has>passed without significant adoption.>>But maybe we could enable it if the costs are not too great.
gnu.org does not have dnssec, so we'd need them to work on that first.
?