GNU bug report logs -
#47823
Hardenize Guix website TLS/DNS
Previous Next
To reply to this bug, email your comments to 47823 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#47823; Package
guix.
(Fri, 16 Apr 2021 11:01:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
bo0od <bo0od <at> riseup.net>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Fri, 16 Apr 2021 11:01:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hi There,
Scanning Guix website gave many missing security features which modern
security needs them to be available:
* TLS and DNS:
looking at:
https://www.hardenize.com/report/guix.gnu.org/1618568751
https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
- DNS: DNSSEC support missing (important)
- TLS 1.0 , 1.1 considered deprecated since 2020
- Allow TLS 1.3 as it helps with ESNI whenever its ready by openssl
- Use only secure ciphers, disable old ciphers
- Force redirection of insecure connection with plain text to TLS
- HSTS/HSTS-preload support missing (important)
* Web Application (Headers):
I think its self explanatory:
https://securityheaders.com/?q=https%3A%2F%2Fguix.gnu.org%2F&followRedirects=on
ThX!
Information forwarded
to
bug-guix <at> gnu.org:
bug#47823; Package
guix.
(Fri, 16 Apr 2021 16:16:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 47823 <at> debbugs.gnu.org (full text, mbox):
On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
> Scanning Guix website gave many missing security features which modern
> security needs them to be available:
>
> * TLS and DNS:
>
> looking at:
>
> https://www.hardenize.com/report/guix.gnu.org/1618568751
>
> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
Thanks!
> - DNS: DNSSEC support missing (important)
Hm, is it important? My impression is that it's an idea whose time has
passed without significant adoption.
But maybe we could enable it if the costs are not too great.
> - TLS 1.0 , 1.1 considered deprecated since 2020
Yes, we should disable these, assuming there is not significant traffic
over them.
> - Allow TLS 1.3 as it helps with ESNI whenever its ready by openssl
Yes, we should enable this.
> - Use only secure ciphers, disable old ciphers
Yes.
> - Force redirection of insecure connection with plain text to TLS
> - HSTS/HSTS-preload support missing (important)
Yes, we should enable these.
Information forwarded
to
bug-guix <at> gnu.org:
bug#47823; Package
guix.
(Fri, 16 Apr 2021 21:37:02 GMT)
Full text and
rfc822 format available.
Message #11 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:
>> - Force redirection of insecure connection with plain text to TLS
>> - HSTS/HSTS-preload support missing (important)
>
> Yes, we should enable these.
Be careful with HSTS, it can make the site inaccessible if you lose
access to a certificate and have to replace it. And yes, that can happen
easily, and you then won’t have a way to inform visitors why they cannot
access the site. If you enable it, make absolutely sure that the max-age
is short enough.
Best wishes,
Arne
--
Unpolitisch sein
heißt politisch sein
ohne es zu merken
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#47823; Package
guix.
(Fri, 16 Apr 2021 21:37:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org:
bug#47823; Package
guix.
(Sat, 17 Apr 2021 00:11:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 47823 <at> debbugs.gnu.org (full text, mbox):
Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari <leo <at> famulari.name> a écrit :
>On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
>> Scanning Guix website gave many missing security features which
>modern
>> security needs them to be available:
>>
>> * TLS and DNS:
>>
>> looking at:
>>
>> https://www.hardenize.com/report/guix.gnu.org/1618568751
>>
>> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
>
>Thanks!
>
>> - DNS: DNSSEC support missing (important)
>
>Hm, is it important? My impression is that it's an idea whose time has
>passed without significant adoption.
>
>But maybe we could enable it if the costs are not too great.
gnu.org does not have dnssec, so we'd need them to work on that first.
Information forwarded
to
bug-guix <at> gnu.org:
bug#47823; Package
guix.
(Mon, 24 May 2021 21:37:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 47823 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Julien Lepiller <julien <at> lepiller.eu> skriver:
> Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari <leo <at> famulari.name> a écrit :
>>On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
>>> Scanning Guix website gave many missing security features which
>>modern
>>> security needs them to be available:
>>>
>>> * TLS and DNS:
>>>
>>> looking at:
>>>
>>> https://www.hardenize.com/report/guix.gnu.org/1618568751
>>>
>>> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
>>
>>Thanks!
>>
>>> - DNS: DNSSEC support missing (important)
>>
>>Hm, is it important? My impression is that it's an idea whose time has
>>passed without significant adoption.
>>
>>But maybe we could enable it if the costs are not too great.
>
> gnu.org does not have dnssec, so we'd need them to work on that first.
gnu.org used to have DNSSEC, but disabled it because it gave NXDOMAIN
on machines with systemd-resolved:
https://github.com/systemd/systemd/issues/9867
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#47823; Package
guix.
(Tue, 25 May 2021 12:52:01 GMT)
Full text and
rfc822 format available.
Message #23 received at 47823 <at> debbugs.gnu.org (full text, mbox):
Then dont use systemd to do that. There many other methods/tools to
achieve having it.
Marius Bakke:
> Julien Lepiller <julien <at> lepiller.eu> skriver:
>
>> Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari <leo <at> famulari.name> a écrit :
>>> On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
>>>> Scanning Guix website gave many missing security features which
>>> modern
>>>> security needs them to be available:
>>>>
>>>> * TLS and DNS:
>>>>
>>>> looking at:
>>>>
>>>> https://www.hardenize.com/report/guix.gnu.org/1618568751
>>>>
>>>> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
>>>
>>> Thanks!
>>>
>>>> - DNS: DNSSEC support missing (important)
>>>
>>> Hm, is it important? My impression is that it's an idea whose time has
>>> passed without significant adoption.
>>>
>>> But maybe we could enable it if the costs are not too great.
>>
>> gnu.org does not have dnssec, so we'd need them to work on that first.
>
> gnu.org used to have DNSSEC, but disabled it because it gave NXDOMAIN
> on machines with systemd-resolved:
>
> https://github.com/systemd/systemd/issues/9867
>
Information forwarded
to
bug-guix <at> gnu.org:
bug#47823; Package
guix.
(Tue, 25 May 2021 14:04:01 GMT)
Full text and
rfc822 format available.
Message #26 received at 47823 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
No, resolved is on the client side. This means that they managed to set up dnssec, but some clients who use systemd (most Linux users) can't connect to gnu.org domains anymore. I don't think this is acceptable :)
Le 25 mai 2021 08:51:29 GMT-04:00, bo0od <bo0od <at> riseup.net> a écrit :
>Then dont use systemd to do that. There many other methods/tools to
>achieve having it.
>
>Marius Bakke:
>> Julien Lepiller <julien <at> lepiller.eu> skriver:
>>
>>> Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari
><leo <at> famulari.name> a écrit :
>>>> On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
>>>>> Scanning Guix website gave many missing security features which
>>>> modern
>>>>> security needs them to be available:
>>>>>
>>>>> * TLS and DNS:
>>>>>
>>>>> looking at:
>>>>>
>>>>> https://www.hardenize.com/report/guix.gnu.org/1618568751
>>>>>
>>>>> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
>>>>
>>>> Thanks!
>>>>
>>>>> - DNS: DNSSEC support missing (important)
>>>>
>>>> Hm, is it important? My impression is that it's an idea whose time
>has
>>>> passed without significant adoption.
>>>>
>>>> But maybe we could enable it if the costs are not too great.
>>>
>>> gnu.org does not have dnssec, so we'd need them to work on that
>first.
>>
>> gnu.org used to have DNSSEC, but disabled it because it gave NXDOMAIN
>> on machines with systemd-resolved:
>>
>> https://github.com/systemd/systemd/issues/9867
>>
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#47823; Package
guix.
(Tue, 25 May 2021 16:39:02 GMT)
Full text and
rfc822 format available.
Message #29 received at 47823 <at> debbugs.gnu.org (full text, mbox):
If the server configured DNSSEC in a bad way then for surely it wont
work and thats what happened with gnu.org if you read this ticket:
https://github.com/systemd/systemd/issues/9867
This ticket show clearly that the operators of gnu.org didnt fix their
bad DNSSEC configuration despite being pointed out to them.
https://danwin1210.me
e.g This domain use DNSSEC where is the problem connecting to it?
Julien Lepiller:
> No, resolved is on the client side. This means that they managed to set up dnssec, but some clients who use systemd (most Linux users) can't connect to gnu.org domains anymore. I don't think this is acceptable :)
>
> Le 25 mai 2021 08:51:29 GMT-04:00, bo0od <bo0od <at> riseup.net> a écrit :
>> Then dont use systemd to do that. There many other methods/tools to
>> achieve having it.
>>
>> Marius Bakke:
>>> Julien Lepiller <julien <at> lepiller.eu> skriver:
>>>
>>>> Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari
>> <leo <at> famulari.name> a écrit :
>>>>> On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
>>>>>> Scanning Guix website gave many missing security features which
>>>>> modern
>>>>>> security needs them to be available:
>>>>>>
>>>>>> * TLS and DNS:
>>>>>>
>>>>>> looking at:
>>>>>>
>>>>>> https://www.hardenize.com/report/guix.gnu.org/1618568751
>>>>>>
>>>>>> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
>>>>>
>>>>> Thanks!
>>>>>
>>>>>> - DNS: DNSSEC support missing (important)
>>>>>
>>>>> Hm, is it important? My impression is that it's an idea whose time
>> has
>>>>> passed without significant adoption.
>>>>>
>>>>> But maybe we could enable it if the costs are not too great.
>>>>
>>>> gnu.org does not have dnssec, so we'd need them to work on that
>> first.
>>>
>>> gnu.org used to have DNSSEC, but disabled it because it gave NXDOMAIN
>>> on machines with systemd-resolved:
>>>
>>> https://github.com/systemd/systemd/issues/9867
>>>
>
Information forwarded
to
bug-guix <at> gnu.org:
bug#47823; Package
guix.
(Mon, 22 May 2023 02:23:02 GMT)
Full text and
rfc822 format available.
Message #32 received at 47823 <at> debbugs.gnu.org (full text, mbox):
Hi,
> Scanning Guix website gave many missing security features which modern
> security needs them to be available:
While I prefer DNSSEC on my domains, I see nothing wrong with
guix.gnu.org. Presumably, some changes have been made since the bug
was filed over two years ago.
SSL Labs now rates the domain security at an A grade. For details,
please consult the attached PDF document. Hardenize.com also mentions
no issues aside from HSTS, which I consider non-essential for the Guix
website.
If there are no objections, I will close this bug in the near future. Thanks!
Kind regards
Felix
Information forwarded
to
bug-guix <at> gnu.org:
bug#47823; Package
guix.
(Mon, 22 May 2023 02:24:01 GMT)
Full text and
rfc822 format available.
Message #35 received at 47823 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sun, May 21, 2023 at 7:21 PM Felix Lechner
<felix.lechner <at> lease-up.com> wrote:
>
> For details,
> please consult the attached PDF document.
Whoops, here is the missing attachment.
[SSL Server Test guix.gnu.org (Powered by Qualys SSL Labs).pdf (application/pdf, attachment)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#47823; Package
guix.
(Wed, 31 May 2023 16:38:02 GMT)
Full text and
rfc822 format available.
Message #38 received at 47823 <at> debbugs.gnu.org (full text, mbox):
1- hmm? why A rate should be ok? A+ is the target that you should aim for.
Nevertheless, remove weak/stupid TLS ciphers in TLS 1.2 (e.g check
grapheneos.org in ssllab/hardenizer to see which ciphers are the
secure/recommended one to keep)
2- "While I prefer DNSSEC on my domains, I see nothing wrong with
guix.gnu.org"
Sorta contradictory, still (arguably) essential to have.
*-*-*-*
Extra fruit: in Whonix/Kicksecure and Danwin websites (i know) they
changed the certificate signature from SHA256withRSA (RSA 2048 bits) to
SHA384withECDSA (EC 384 bits) which is faster and more secure.
e.g: https://www.hardenize.com/report/whonix.org/1685550053#www_certs
This is just easy request to be made from letsencrypt and they will
issue new one for you.
Thank You!
Felix Lechner:
> On Sun, May 21, 2023 at 7:21 PM Felix Lechner
> <felix.lechner <at> lease-up.com> wrote:
>>
>> For details,
>> please consult the attached PDF document.
>
> Whoops, here is the missing attachment.
This bug report was last modified 2 years and 12 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.