From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 16 07:00:43 2021 Received: (at submit) by debbugs.gnu.org; 16 Apr 2021 11:00:43 +0000 Received: from localhost ([127.0.0.1]:40128 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lXMDH-0001mF-Lz for submit@debbugs.gnu.org; Fri, 16 Apr 2021 07:00:43 -0400 Received: from lists.gnu.org ([209.51.188.17]:55136) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lXMDF-0001m7-JQ for submit@debbugs.gnu.org; Fri, 16 Apr 2021 07:00:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:59536) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lXMDD-0000r1-Nq for bug-guix@gnu.org; Fri, 16 Apr 2021 07:00:37 -0400 Received: from mx1.riseup.net ([198.252.153.129]:50132) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lXMD2-00086x-J2 for bug-guix@gnu.org; Fri, 16 Apr 2021 07:00:35 -0400 Received: from fews1.riseup.net (fews1-pn.riseup.net [10.0.1.83]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 4FMCsj4JbHzFr9n for ; Fri, 16 Apr 2021 04:00:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1618570822; bh=O2BomZzkJYLytzED7+MFP5XYXMOkc8Z4xhJnV+M5ZGs=; h=To:From:Subject:Date:From; b=TT3tYpjk+5azP6zejI8xS28Lr/BB7kyc4O0cpzfzFxFr0CDTthNUYJi9l7eurfYAU jynqoobNkPbum8YktsuZhmjZzCgFJ7qu6BMPqtvCv7A5zoI/hfjtw5SPjdRaIMoHlC ZFD0KAo9U3yJyPQQEM7ckZ30wLdP9wv/rvn01Mwg= X-Riseup-User-ID: 229312936CEB70033316BA1D53419464D9B7BECDE2678775D84CCB5808A3368A Received: from [127.0.0.1] (localhost [127.0.0.1]) by fews1.riseup.net (Postfix) with ESMTPSA id 4FMCsh5f3Yz5vlJ for ; Fri, 16 Apr 2021 04:00:08 -0700 (PDT) To: bug-guix@gnu.org From: bo0od Subject: Hardenize Guix website TLS/DNS Message-ID: Date: Fri, 16 Apr 2021 11:00:05 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=198.252.153.129; envelope-from=bo0od@riseup.net; helo=mx1.riseup.net X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) Hi There, Scanning Guix website gave many missing security features which modern security needs them to be available: * TLS and DNS: looking at: https://www.hardenize.com/report/guix.gnu.org/1618568751 https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org - DNS: DNSSEC support missing (important) - TLS 1.0 , 1.1 considered deprecated since 2020 - Allow TLS 1.3 as it helps with ESNI whenever its ready by openssl - Use only secure ciphers, disable old ciphers - Force redirection of insecure connection with plain text to TLS - HSTS/HSTS-preload support missing (important) * Web Application (Headers): I think its self explanatory: https://securityheaders.com/?q=https%3A%2F%2Fguix.gnu.org%2F&followRedirects=on ThX!