GNU bug report logs - #47823
Hardenize Guix website TLS/DNS

Previous Next

Package: guix;

Reported by: bo0od <bo0od <at> riseup.net>

Date: Fri, 16 Apr 2021 11:01:01 UTC

Severity: normal

Full log

Message #38 received at 47823 <at> debbugs.gnu.org (full text, mbox):

From: bo0od <bo0od <at> riseup.net>
To: Felix Lechner <felix.lechner <at> lease-up.com>, 47823 <at> debbugs.gnu.org
Cc: "Dr. Arne Babenhauserheide" <arne_bab <at> web.de>,
 Marius Bakke <marius <at> gnu.org>, Julien Lepiller <julien <at> lepiller.eu>,
 Leo Famulari <leo <at> famulari.name>
Subject: Re: Website is fine
Date: Wed, 31 May 2023 16:37:00 +0000

1- hmm? why A rate should be ok? A+ is the target that you should aim for.

Nevertheless, remove weak/stupid TLS ciphers in TLS 1.2 (e.g check 
grapheneos.org in ssllab/hardenizer to see which ciphers are the 
secure/recommended one to keep)

2- "While I prefer DNSSEC on my domains, I see nothing wrong with
guix.gnu.org"

Sorta contradictory, still (arguably) essential to have.

*-*-*-*

Extra fruit: in Whonix/Kicksecure and Danwin websites (i know) they 
changed the certificate signature from SHA256withRSA (RSA 2048 bits) to 
SHA384withECDSA (EC 384 bits) which is faster and more secure.

e.g: https://www.hardenize.com/report/whonix.org/1685550053#www_certs

This is just easy request to be made from letsencrypt and they will 
issue new one for you.

Thank You!

Felix Lechner:
> On Sun, May 21, 2023 at 7:21 PM Felix Lechner
> <felix.lechner <at> lease-up.com> wrote:
>>
>> For details,
>> please consult the attached PDF document.
> 
> Whoops, here is the missing attachment.
This bug report was last modified 2 years and 13 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.