GNU bug report logs - #47823
Hardenize Guix website TLS/DNS

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Reported by: bo0od <bo0od@HIDDEN>; dated Fri, 16 Apr 2021 11:01:01 UTC; Maintainer for guix is bug-guix@HIDDEN.

Message received at 47823 <at> debbugs.gnu.org:


Received: (at 47823) by debbugs.gnu.org; 16 Apr 2021 16:15:34 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Apr 16 12:15:34 2021
Received: from localhost ([127.0.0.1]:41529 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lXR82-0008Jt-4I
	for submit <at> debbugs.gnu.org; Fri, 16 Apr 2021 12:15:34 -0400
Received: from out4-smtp.messagingengine.com ([66.111.4.28]:37967)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1lXR80-0008Cr-HP
 for 47823 <at> debbugs.gnu.org; Fri, 16 Apr 2021 12:15:33 -0400
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47])
 by mailout.nyi.internal (Postfix) with ESMTP id 49B3B5C008E;
 Fri, 16 Apr 2021 12:15:27 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
 by compute7.internal (MEProxy); Fri, 16 Apr 2021 12:15:27 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=date:from:to:cc:subject:message-id:references:mime-version
 :content-type:in-reply-to; s=mesmtp; bh=Q6S0JEYOTWKWiMGqYW6EfpWD
 9wwfmvk3JpO3+fRPAN8=; b=UuchNBsV+4cFX4Ioi5WEbqF62tnDDjMMF0kDskuL
 NkFAqFMjB6ELysGy0AyaR38pNOBUs0NCEYlfaVlRyyX1FlsNrHCBrcscaEnZOk/O
 eJ6T40mqqz+oCBAadbM521TCBV2G6CkKKhBJ1UydgJRjb3nM5iCXtbA0zuqRBd1R
 1CQ=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=Q6S0JE
 YOTWKWiMGqYW6EfpWD9wwfmvk3JpO3+fRPAN8=; b=PvytflxkiG0qXx8TXtEIkB
 E8Pt7NCexCNXzVUm1eYh5OoNxvjcqYM6ah4kbW8A2ZKcfHbQ1vvz++MzGBHMWkz2
 80lIp3cQZOA7kCD634ZO4aKw3rgsp6TO8nCEFaYXgdiXm6GNJ4RI4OJNv64Hd0Lt
 Or2LRW3p0CvKFuEA4lIPUBzYhCTqmG5HR5FEaD26fkQ9MTi+OYxsxAU3UZtLDz3D
 b0rwu7BLdh4EqC/nWOwL5Wow7A5Knx1F1/+sFQyxeMqF2ZU5pOV0Oa7ggWiLqVV1
 kK9wy6YMP4jQFXrPOK8pPjpaVbfNhLDUXBgfwnWr1G9mWXHY+LvCJoj7ITJysU1g
 ==
X-ME-Sender: <xms:Hrh5YCXtXmTBo24gToyCpq05n4sZYfe6VXn6FxJVOTtOcR8YHkL8qQ>
 <xme:Hrh5YGOScC0IoTjmKxooerFmcgmI5xhlGIfxIxUqDv-YfyUMuILIaW8nzhMYMrk67
 Rr2A7VWmUsfaqrnBw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudelhedguddtudcutefuodetggdotefrod
 ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
 necuuegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfhfgggtuggjsehttd
 ertddttddvnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhl
 rghrihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpeeghfelieetgeeugedtiedugfdute
 efgefgkedukeegueegjeelgefhiedvtedvieenucffohhmrghinhephhgrrhguvghnihii
 vgdrtghomhdpshhslhhlrggsshdrtghomhenucfkphepuddttddruddurdduieelrdduud
 eknecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplhgv
 ohesfhgrmhhulhgrrhhirdhnrghmvg
X-ME-Proxy: <xmx:Hrh5YEBBINgUgX131x5H8Z7Uk_brgQKC3r7Xn4d7afiIvJ0962eG2g>
 <xmx:Hrh5YDcG6DrgcpY4FxcjLl1Z81LOJWzZTYvdZaqYx_87Pazlc9XWYg>
 <xmx:Hrh5YDMt_WukChi-cHNz9XUpa0bf3HPku5Dijax9DALccwySW2q70A>
 <xmx:H7h5YIE3N5WoAjeJ4rpje3BlYHkclZ1w9yZx8zYiWVo28Jj-7baJJg>
Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net
 [100.11.169.118])
 by mail.messagingengine.com (Postfix) with ESMTPA id C2C2B108006A;
 Fri, 16 Apr 2021 12:15:26 -0400 (EDT)
Date: Fri, 16 Apr 2021 12:15:25 -0400
From: Leo Famulari <leo@HIDDEN>
To: bo0od <bo0od@HIDDEN>
Subject: Re: bug#47823: Hardenize Guix website TLS/DNS
Message-ID: <YHm4HTDJwTfXFI3U@HIDDEN>
References: <ee41c6c6-c080-7248-eed4-a8889d0b0a28@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <ee41c6c6-c080-7248-eed4-a8889d0b0a28@HIDDEN>
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 47823
Cc: 47823 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
> Scanning Guix website gave many missing security features which modern
> security needs them to be available:
> 
> * TLS and DNS:
> 
> looking at:
> 
> https://www.hardenize.com/report/guix.gnu.org/1618568751
> 
> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org

Thanks!

> - DNS: DNSSEC support missing (important)

Hm, is it important? My impression is that it's an idea whose time has
passed without significant adoption.

But maybe we could enable it if the costs are not too great.

> - TLS 1.0 , 1.1 considered deprecated since 2020

Yes, we should disable these, assuming there is not significant traffic
over them.

> - Allow TLS 1.3 as it helps with ESNI whenever its ready by openssl

Yes, we should enable this.

> - Use only secure ciphers, disable old ciphers

Yes.

> - Force redirection of insecure connection with plain text to TLS
> - HSTS/HSTS-preload support missing (important)

Yes, we should enable these.




Information forwarded to bug-guix@HIDDEN:
bug#47823; Package guix. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 16 Apr 2021 11:00:43 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Apr 16 07:00:43 2021
Received: from localhost ([127.0.0.1]:40128 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lXMDH-0001mF-Lz
	for submit <at> debbugs.gnu.org; Fri, 16 Apr 2021 07:00:43 -0400
Received: from lists.gnu.org ([209.51.188.17]:55136)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <bo0od@HIDDEN>) id 1lXMDF-0001m7-JQ
 for submit <at> debbugs.gnu.org; Fri, 16 Apr 2021 07:00:38 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:59536)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <bo0od@HIDDEN>) id 1lXMDD-0000r1-Nq
 for bug-guix@HIDDEN; Fri, 16 Apr 2021 07:00:37 -0400
Received: from mx1.riseup.net ([198.252.153.129]:50132)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <bo0od@HIDDEN>) id 1lXMD2-00086x-J2
 for bug-guix@HIDDEN; Fri, 16 Apr 2021 07:00:35 -0400
Received: from fews1.riseup.net (fews1-pn.riseup.net [10.0.1.83])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "*.riseup.net",
 Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified))
 by mx1.riseup.net (Postfix) with ESMTPS id 4FMCsj4JbHzFr9n
 for <bug-guix@HIDDEN>; Fri, 16 Apr 2021 04:00:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak;
 t=1618570822; bh=O2BomZzkJYLytzED7+MFP5XYXMOkc8Z4xhJnV+M5ZGs=;
 h=To:From:Subject:Date:From;
 b=TT3tYpjk+5azP6zejI8xS28Lr/BB7kyc4O0cpzfzFxFr0CDTthNUYJi9l7eurfYAU
 jynqoobNkPbum8YktsuZhmjZzCgFJ7qu6BMPqtvCv7A5zoI/hfjtw5SPjdRaIMoHlC
 ZFD0KAo9U3yJyPQQEM7ckZ30wLdP9wv/rvn01Mwg=
X-Riseup-User-ID: 229312936CEB70033316BA1D53419464D9B7BECDE2678775D84CCB5808A3368A
Received: from [127.0.0.1] (localhost [127.0.0.1])
 by fews1.riseup.net (Postfix) with ESMTPSA id 4FMCsh5f3Yz5vlJ
 for <bug-guix@HIDDEN>; Fri, 16 Apr 2021 04:00:08 -0700 (PDT)
To: bug-guix@HIDDEN
From: bo0od <bo0od@HIDDEN>
Subject: Hardenize Guix website TLS/DNS
Message-ID: <ee41c6c6-c080-7248-eed4-a8889d0b0a28@HIDDEN>
Date: Fri, 16 Apr 2021 11:00:05 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=198.252.153.129; envelope-from=bo0od@HIDDEN;
 helo=mx1.riseup.net
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.4 (--)

Hi There,

Scanning Guix website gave many missing security features which modern 
security needs them to be available:

* TLS and DNS:

looking at:

https://www.hardenize.com/report/guix.gnu.org/1618568751

https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org

- DNS: DNSSEC support missing (important)
- TLS 1.0 , 1.1 considered deprecated since 2020
- Allow TLS 1.3 as it helps with ESNI whenever its ready by openssl
- Use only secure ciphers, disable old ciphers
- Force redirection of insecure connection with plain text to TLS
- HSTS/HSTS-preload support missing (important)


* Web Application (Headers):

I think its self explanatory:

https://securityheaders.com/?q=https%3A%2F%2Fguix.gnu.org%2F&followRedirects=on

ThX!




Acknowledgement sent to bo0od <bo0od@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#47823; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Fri, 16 Apr 2021 16:15:01 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.