Received: (at 47823) by debbugs.gnu.org; 24 May 2021 21:36:56 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 24 17:36:56 2021 Received: from localhost ([127.0.0.1]:44051 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1llIFn-00018q-Qm for submit <at> debbugs.gnu.org; Mon, 24 May 2021 17:36:55 -0400 Received: from eggs.gnu.org ([209.51.188.92]:55712) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <marius@HIDDEN>) id 1llIFm-00018e-De for 47823 <at> debbugs.gnu.org; Mon, 24 May 2021 17:36:50 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:51718) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from <marius@HIDDEN>) id 1llIFf-0005zv-PI; Mon, 24 May 2021 17:36:43 -0400 Received: from host-37-191-231-185.lynet.no ([37.191.231.185]:58694 helo=localhost) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <marius@HIDDEN>) id 1llIFf-0002PF-DL; Mon, 24 May 2021 17:36:43 -0400 From: Marius Bakke <marius@HIDDEN> To: Julien Lepiller <julien@HIDDEN>, Leo Famulari <leo@HIDDEN>, bo0od <bo0od@HIDDEN> Subject: Re: bug#47823: Hardenize Guix website TLS/DNS In-Reply-To: <4BF8EE8A-C2B4-429A-A0DF-928155A5802E@HIDDEN> References: <ee41c6c6-c080-7248-eed4-a8889d0b0a28@HIDDEN> <YHm4HTDJwTfXFI3U@HIDDEN> <4BF8EE8A-C2B4-429A-A0DF-928155A5802E@HIDDEN> Date: Mon, 24 May 2021 23:36:40 +0200 Message-ID: <87r1hvq0ev.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 47823 Cc: 47823 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Julien Lepiller <julien@HIDDEN> skriver: > Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari <leo@HIDDEN> a = =C3=A9crit : >>On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote: >>> Scanning Guix website gave many missing security features which >>modern >>> security needs them to be available: >>>=20 >>> * TLS and DNS: >>>=20 >>> looking at: >>>=20 >>> https://www.hardenize.com/report/guix.gnu.org/1618568751 >>>=20 >>> https://www.ssllabs.com/ssltest/analyze.html?d=3Dguix.gnu.org >> >>Thanks! >> >>> - DNS: DNSSEC support missing (important) >> >>Hm, is it important? My impression is that it's an idea whose time has >>passed without significant adoption. >> >>But maybe we could enable it if the costs are not too great. > > gnu.org does not have dnssec, so we'd need them to work on that first. gnu.org used to have DNSSEC, but disabled it because it gave NXDOMAIN on machines with systemd-resolved: https://github.com/systemd/systemd/issues/9867 --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iIUEARYKAC0WIQRNTknu3zbaMQ2ddzTocYulkRQQdwUCYKwcaA8cbWFyaXVzQGdu dS5vcmcACgkQ6HGLpZEUEHenCwD/YYtd/o1YGwYU8ijFa3autZLJ7AqrJmnIMkQK eU1B3ycBAJfslNfCrF48/WIFUOfQZcIhkXoLWvm2YOB5s5qWljwA =2vKi -----END PGP SIGNATURE----- --=-=-=--
bug-guix@HIDDEN:bug#47823; Package guix.
Full text available.Received: (at 47823) by debbugs.gnu.org; 17 Apr 2021 00:10:29 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri Apr 16 20:10:29 2021 Received: from localhost ([127.0.0.1]:41960 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lXYXZ-0002vN-Tx for submit <at> debbugs.gnu.org; Fri, 16 Apr 2021 20:10:29 -0400 Received: from lepiller.eu ([89.234.186.109]:34482) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <julien@HIDDEN>) id 1lXYXU-0002v8-Tq for 47823 <at> debbugs.gnu.org; Fri, 16 Apr 2021 20:10:24 -0400 Received: from lepiller.eu (localhost [127.0.0.1]) by lepiller.eu (OpenSMTPD) with ESMTP id 64a8fa1c; Sat, 17 Apr 2021 00:10:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=lepiller.eu; h=date :in-reply-to:references:mime-version:content-type :content-transfer-encoding:subject:to:cc:from:message-id; s= dkim; bh=Ur5byhPj2zekcuFEm1uEygd8uD3WjPwziHbnN6QNQio=; b=WFWLror 2gbfgg8Toze6Ic+tOTEYAF4rU7EoNIFUQ8zA8TWX2JM7n4GncLl5OeGzdfaywsgF 1iznkTJT6uLKbLt9BBW9h9VoAyTLwXkJwLJ6/N7EElzhBzVjgT95i9i5OusqXqcc nSBGwtuK55vvLvR2wS4GvE5B/L7pryzlhIV9taqZAWONHS2CPkKw9RpUMkvOfj2I PXIuLwmmyRWufJFy/qSMdixNvc3aWdGmrdLaeFT4y6K3Q5gbmOSthzONXLoo/AXk JExYV6NfNnGRSZuBWGbU3BM778sUY7aWPPyM4WaY8+wKL4tD/bi7zKvwcr6gdaDI fYs+moqRWot0N2A== Received: by lepiller.eu (OpenSMTPD) with ESMTPSA id 440dad28 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Sat, 17 Apr 2021 00:10:17 +0000 (UTC) Date: Fri, 16 Apr 2021 20:10:11 -0400 User-Agent: K-9 Mail for Android In-Reply-To: <YHm4HTDJwTfXFI3U@HIDDEN> References: <ee41c6c6-c080-7248-eed4-a8889d0b0a28@HIDDEN> <YHm4HTDJwTfXFI3U@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Re: bug#47823: Hardenize Guix website TLS/DNS To: Leo Famulari <leo@HIDDEN>,bo0od <bo0od@HIDDEN> From: Julien Lepiller <julien@HIDDEN> Message-ID: <4BF8EE8A-C2B4-429A-A0DF-928155A5802E@HIDDEN> X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 47823 Cc: 47823 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari <leo@famulari=2Ename> a = =C3=A9crit : >On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote: >> Scanning Guix website gave many missing security features which >modern >> security needs them to be available: >>=20 >> * TLS and DNS: >>=20 >> looking at: >>=20 >> https://www=2Ehardenize=2Ecom/report/guix=2Egnu=2Eorg/1618568751 >>=20 >> https://www=2Essllabs=2Ecom/ssltest/analyze=2Ehtml?d=3Dguix=2Egnu=2Eorg > >Thanks! > >> - DNS: DNSSEC support missing (important) > >Hm, is it important? My impression is that it's an idea whose time has >passed without significant adoption=2E > >But maybe we could enable it if the costs are not too great=2E gnu=2Eorg does not have dnssec, so we'd need them to work on that first=2E
bug-guix@HIDDEN:bug#47823; Package guix.
Full text available.Received: (at 47823) by debbugs.gnu.org; 16 Apr 2021 21:36:35 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri Apr 16 17:36:35 2021 Received: from localhost ([127.0.0.1]:41860 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lXW8h-0005OB-Cn for submit <at> debbugs.gnu.org; Fri, 16 Apr 2021 17:36:35 -0400 Received: from mout.web.de ([212.227.15.3]:51415) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <arne_bab@HIDDEN>) id 1lXW8g-0005Nx-3F for 47823 <at> debbugs.gnu.org; Fri, 16 Apr 2021 17:36:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1618608979; bh=zllqZoKgbHS1szJ5UEj+f5M9kIJmrrXVuYXWB4NsSFA=; h=X-UI-Sender-Class:References:From:To:Cc:Subject:In-reply-to:Date; b=B+VsH7/XIof//uHlmb3vYXLBKpACn3YOuK/3O1k6iVVoFZfK5zNd/4/pznk/RoQFD Ps8BQmSxesr4Gs2M6vpLzW29NzCuEPCPFGMMrX1yQoKGBsJhGSc7t62fR9KBR2Cmfa n37Bgx7OKMwC8JaEiAUF5brekAWZuTa6Q86M5gHQ= X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9 Received: from fluss ([84.149.81.26]) by smtp.web.de (mrweb002 [213.165.67.108]) with ESMTPSA (Nemesis) id 0LbImQ-1lvLRJ2AdW-00ktW3; Fri, 16 Apr 2021 23:36:19 +0200 References: <ee41c6c6-c080-7248-eed4-a8889d0b0a28@HIDDEN> <YHm4HTDJwTfXFI3U@HIDDEN> User-agent: mu4e 1.4.15; emacs 27.2 From: "Dr. Arne Babenhauserheide" <arne_bab@HIDDEN> To: Leo Famulari <leo@HIDDEN> Subject: Re: bug#47823: Hardenize Guix website TLS/DNS In-reply-to: <YHm4HTDJwTfXFI3U@HIDDEN> Date: Fri, 16 Apr 2021 23:36:15 +0200 Message-ID: <875z0lap4g.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Provags-ID: V03:K1:AF7ZlcmVF+XRROUxLcXwH/ezT/vxOudbpZk0GrodYwyWZReOU8G Ma4bwbRkKV0Ql0ybF3hLlTmzna3sVJw9Yb64EA/28+Qzs2iHSSvmX/0ktGH3jakp+RYhq9D QzsL50HX7Ngkzy6YhGaHPxGmTvGiqCWpTqTmZdoflqLTminqUzHYbO9hHWYIQOGwMO2VnoC DUK3PVgrPTEbUMsJSlTTA== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:bd6s3OwuzVQ=:6R3pA6WBLg/88P/b3/SNdR t6TIS+6MJV5KO9W5sLZd3lp2hlLGP9ZUQZ4aDeMDTjUxb6yt+OdiJTihqLKIHsHCknKcfOVJQ M05TcH5Q53HeNguUtWNk+vNal+4cemyARZkIa91A7tvyJaRsP2ECKHBBRF3hFsHIhsfgcIxfT QEKONVigMy5BK/P+38G+2j3ARYNbVEcoJCyoUUcgNMxP6lSjQAL/icjpuso2sTM3B3fjpdHO/ kasL7gjBOff6ua6BIdH8esbBn/zEg01siSeWxKjQFrAns8ZpR9UEQV04GbB3yiTk6p6eB/Llz wu5/99Kwf5btyJfmTb5jTaMOvdLPpz7gtakIYS+JlY0s5R4Fo2p2NKL+AXTPZ45YbBO9sTRmL J0+ds4yRJh+OboeMl2cc5IO1bw8vhfuZcMEh6RpHyBdaviyEBozkhjy/6VCagrsus5QhvXBtC 7quhJFwho/t2dD7VEG5QqYqrYP4QnexcBNSKYEIDXqMYZFOnKdtA+HL22vhkjgWyK2EpYUIXH 5AU/YW+saV4B4tMokOrBXVbJqLazhcTuqlK4g45s8yRWzIsFfsKW+IIeb7lcKihwNbVr6LxDG 8vEwabS8dvOhjSZSt97O/QXBkCOcSG9V6nhht/FH8eZ8ClTXIShQy747mj22DZyMQXOXDe4oc DZhWdC+ifDRyu/2BE7b9vHghktCOGyN/cxLfG/dIRZzN5HAiEujELRYfOJhVxCshM1ufVlQXc UPK+XEyL2Wp0v/bP6FkgnnXUwDyQttkif/f4HWj2QXEqzdz9QG9K2AtP527STWlsLjlUXzU4p /ph8QS7+d1k1xe9N8lpvPrkkEYC0QWh02jFdk1FByywVhggUPHdoLlDsCaHQpTSItB1tmNDJ/ mJmnuIca4dE+KQUZ1DkXlq+WYOzGe2XHm3gQNdGZ6/+fJXtX6DNTllP5uLDK0QISuovPg37+w Jw9DNR9Ham/Xh5lI6qGs3iwTy0wIeujUOc9lA5RtJEl77zX+LCQTM4pla8+09y973VCo25BgV oAGvQcNY1ktKsTtPxcAITcSY9H2TznYP8rumyyvHD6/7HAnf1ZNbwKvZDmgkcf5DLjoXU6tw2 JQPH0D/uUH6Pej7+5SyYBc/GZpw4Ae1V5xG90N9+7K4syqTGE0AvfKf4c5TTffR2t87LhiGZf 5S5HajuMxkboVDnGw8yRZLRHqeKrHy4LtpMLFwRZdpUHTY7q9aUJA7H+HmDx6tYP4JUh0= X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47823 Cc: bo0od <bo0od@HIDDEN>, bug-guix@HIDDEN, 47823 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Leo Famulari <leo@HIDDEN> writes: >> - Force redirection of insecure connection with plain text to TLS >> - HSTS/HSTS-preload support missing (important) > > Yes, we should enable these. Be careful with HSTS, it can make the site inaccessible if you lose access to a certificate and have to replace it. And yes, that can happen easily, and you then won=E2=80=99t have a way to inform visitors why they c= annot access the site. If you enable it, make absolutely sure that the max-age is short enough. Best wishes, Arne =2D-=20 Unpolitisch sein hei=C3=9Ft politisch sein ohne es zu merken --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJEBAEBCAAuFiEE801qEjXQSQPNItXAE++NRSQDw+sFAmB6A1EQHGFybmVfYmFi QHdlYi5kZQAKCRAT741FJAPD67DjEACDQH+WNWT41mBtqozgrUuDRn+s3bG3djZU riQX2lqhIMT5jZUXPBzwKDW1Fc1MQiTLzwEx47/6kS98g9ZeBgf1dbl3683k+gdT B6eaXsZFy9tPsWXAQNukq98rzxPmqd+7P17CiRlZ0awjgiNcU4v21eqNm+6TdWH8 /Oe/VVvXQH9uEqK7G7EaaZdxLT7tFXFOcGHMRl9LTWrQvJ7iWXLkA/U3Zp/dQmoY V4Tg72HqDSFxM2Nk4u96MD84DW0KR7KIdQ09Nko+foGE3oY9NTpErKQwicsEy5se H5W454F9tH/b1vzZF4ABzRUM/KRqxCSZxJGuy5jvB2e2SefTFrTMlrnpco3Z1fD+ 3AIOBR3BQmrbB5HLB2sdoSDxnQcWtB5fqB+0nUs7ou1CqD1o8D6WUu1e1zctMjHO V73jJx9k5DBAUOb786ufvS9hkYdZO4F6ujpFJzbDeBQ+E5Pr/YVznXhzEQXY2SE6 UXHI8+FmIpIjodRKX1vQFiuXPNNAKikKo60ImlskcYAS2ZNtZrFWIHm2A9oeiyOB ISYQ1zzTXtF1BjTQdIsHXP24GEwd2KIXNpttkVNeX4qvSFhMACM153Y211yEQwdH nJHqxcmb6Htod0XAvmlvVuv86hV8HJUvy9tIgtOEKTfQgRq69fMwwu5iFBCJCJfr Vt8SxBOJ54jEBAEBCAAuFiEE3Si95tmHXKvOSosd3M8NswvBBUgFAmB6A1EQHGFy bmVfYmFiQHdlYi5kZQAKCRDczw2zC8EFSHsXA/9oQRiNnMWORzjk44AtigUTDcCI p0To83Vxmg8CzQEVXLUeb+neAHH48MJjniIeZI5+u8ouQwSB7Dq6E9dF4MqWoXlk 7j3EmfujO0g0PD2MJHX0JsQgxzbiMnzxk/LoU/rVQ+22dRQAfndkziFDY0k/fDxG NCffkegKV6sMTjIXBg== =Wz2+ -----END PGP SIGNATURE----- --=-=-=--
bug-guix@HIDDEN:bug#47823; Package guix.
Full text available.Received: (at submit) by debbugs.gnu.org; 16 Apr 2021 21:36:42 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri Apr 16 17:36:42 2021 Received: from localhost ([127.0.0.1]:41863 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lXW8n-0005OT-Kz for submit <at> debbugs.gnu.org; Fri, 16 Apr 2021 17:36:41 -0400 Received: from lists.gnu.org ([209.51.188.17]:60394) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <arne_bab@HIDDEN>) id 1lXW8l-0005OM-Ox for submit <at> debbugs.gnu.org; Fri, 16 Apr 2021 17:36:40 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:49980) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <arne_bab@HIDDEN>) id 1lXW8l-0005KU-AJ for bug-guix@HIDDEN; Fri, 16 Apr 2021 17:36:39 -0400 Received: from mout.web.de ([212.227.15.3]:35681) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <arne_bab@HIDDEN>) id 1lXW8j-0002b1-7V for bug-guix@HIDDEN; Fri, 16 Apr 2021 17:36:38 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1618608979; bh=zllqZoKgbHS1szJ5UEj+f5M9kIJmrrXVuYXWB4NsSFA=; h=X-UI-Sender-Class:References:From:To:Cc:Subject:In-reply-to:Date; b=B+VsH7/XIof//uHlmb3vYXLBKpACn3YOuK/3O1k6iVVoFZfK5zNd/4/pznk/RoQFD Ps8BQmSxesr4Gs2M6vpLzW29NzCuEPCPFGMMrX1yQoKGBsJhGSc7t62fR9KBR2Cmfa n37Bgx7OKMwC8JaEiAUF5brekAWZuTa6Q86M5gHQ= X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9 Received: from fluss ([84.149.81.26]) by smtp.web.de (mrweb002 [213.165.67.108]) with ESMTPSA (Nemesis) id 0LbImQ-1lvLRJ2AdW-00ktW3; Fri, 16 Apr 2021 23:36:19 +0200 References: <ee41c6c6-c080-7248-eed4-a8889d0b0a28@HIDDEN> <YHm4HTDJwTfXFI3U@HIDDEN> User-agent: mu4e 1.4.15; emacs 27.2 From: "Dr. Arne Babenhauserheide" <arne_bab@HIDDEN> To: Leo Famulari <leo@HIDDEN> Subject: Re: bug#47823: Hardenize Guix website TLS/DNS In-reply-to: <YHm4HTDJwTfXFI3U@HIDDEN> Date: Fri, 16 Apr 2021 23:36:15 +0200 Message-ID: <875z0lap4g.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Provags-ID: V03:K1:AF7ZlcmVF+XRROUxLcXwH/ezT/vxOudbpZk0GrodYwyWZReOU8G Ma4bwbRkKV0Ql0ybF3hLlTmzna3sVJw9Yb64EA/28+Qzs2iHSSvmX/0ktGH3jakp+RYhq9D QzsL50HX7Ngkzy6YhGaHPxGmTvGiqCWpTqTmZdoflqLTminqUzHYbO9hHWYIQOGwMO2VnoC DUK3PVgrPTEbUMsJSlTTA== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:bd6s3OwuzVQ=:6R3pA6WBLg/88P/b3/SNdR t6TIS+6MJV5KO9W5sLZd3lp2hlLGP9ZUQZ4aDeMDTjUxb6yt+OdiJTihqLKIHsHCknKcfOVJQ M05TcH5Q53HeNguUtWNk+vNal+4cemyARZkIa91A7tvyJaRsP2ECKHBBRF3hFsHIhsfgcIxfT QEKONVigMy5BK/P+38G+2j3ARYNbVEcoJCyoUUcgNMxP6lSjQAL/icjpuso2sTM3B3fjpdHO/ kasL7gjBOff6ua6BIdH8esbBn/zEg01siSeWxKjQFrAns8ZpR9UEQV04GbB3yiTk6p6eB/Llz wu5/99Kwf5btyJfmTb5jTaMOvdLPpz7gtakIYS+JlY0s5R4Fo2p2NKL+AXTPZ45YbBO9sTRmL J0+ds4yRJh+OboeMl2cc5IO1bw8vhfuZcMEh6RpHyBdaviyEBozkhjy/6VCagrsus5QhvXBtC 7quhJFwho/t2dD7VEG5QqYqrYP4QnexcBNSKYEIDXqMYZFOnKdtA+HL22vhkjgWyK2EpYUIXH 5AU/YW+saV4B4tMokOrBXVbJqLazhcTuqlK4g45s8yRWzIsFfsKW+IIeb7lcKihwNbVr6LxDG 8vEwabS8dvOhjSZSt97O/QXBkCOcSG9V6nhht/FH8eZ8ClTXIShQy747mj22DZyMQXOXDe4oc DZhWdC+ifDRyu/2BE7b9vHghktCOGyN/cxLfG/dIRZzN5HAiEujELRYfOJhVxCshM1ufVlQXc UPK+XEyL2Wp0v/bP6FkgnnXUwDyQttkif/f4HWj2QXEqzdz9QG9K2AtP527STWlsLjlUXzU4p /ph8QS7+d1k1xe9N8lpvPrkkEYC0QWh02jFdk1FByywVhggUPHdoLlDsCaHQpTSItB1tmNDJ/ mJmnuIca4dE+KQUZ1DkXlq+WYOzGe2XHm3gQNdGZ6/+fJXtX6DNTllP5uLDK0QISuovPg37+w Jw9DNR9Ham/Xh5lI6qGs3iwTy0wIeujUOc9lA5RtJEl77zX+LCQTM4pla8+09y973VCo25BgV oAGvQcNY1ktKsTtPxcAITcSY9H2TznYP8rumyyvHD6/7HAnf1ZNbwKvZDmgkcf5DLjoXU6tw2 JQPH0D/uUH6Pej7+5SyYBc/GZpw4Ae1V5xG90N9+7K4syqTGE0AvfKf4c5TTffR2t87LhiGZf 5S5HajuMxkboVDnGw8yRZLRHqeKrHy4LtpMLFwRZdpUHTY7q9aUJA7H+HmDx6tYP4JUh0= Received-SPF: pass client-ip=212.227.15.3; envelope-from=arne_bab@HIDDEN; helo=mout.web.de X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit Cc: bo0od <bo0od@HIDDEN>, bug-guix@HIDDEN, 47823 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -2.4 (--) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Leo Famulari <leo@HIDDEN> writes: >> - Force redirection of insecure connection with plain text to TLS >> - HSTS/HSTS-preload support missing (important) > > Yes, we should enable these. Be careful with HSTS, it can make the site inaccessible if you lose access to a certificate and have to replace it. And yes, that can happen easily, and you then won=E2=80=99t have a way to inform visitors why they c= annot access the site. If you enable it, make absolutely sure that the max-age is short enough. Best wishes, Arne =2D-=20 Unpolitisch sein hei=C3=9Ft politisch sein ohne es zu merken --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJEBAEBCAAuFiEE801qEjXQSQPNItXAE++NRSQDw+sFAmB6A1EQHGFybmVfYmFi QHdlYi5kZQAKCRAT741FJAPD67DjEACDQH+WNWT41mBtqozgrUuDRn+s3bG3djZU riQX2lqhIMT5jZUXPBzwKDW1Fc1MQiTLzwEx47/6kS98g9ZeBgf1dbl3683k+gdT B6eaXsZFy9tPsWXAQNukq98rzxPmqd+7P17CiRlZ0awjgiNcU4v21eqNm+6TdWH8 /Oe/VVvXQH9uEqK7G7EaaZdxLT7tFXFOcGHMRl9LTWrQvJ7iWXLkA/U3Zp/dQmoY V4Tg72HqDSFxM2Nk4u96MD84DW0KR7KIdQ09Nko+foGE3oY9NTpErKQwicsEy5se H5W454F9tH/b1vzZF4ABzRUM/KRqxCSZxJGuy5jvB2e2SefTFrTMlrnpco3Z1fD+ 3AIOBR3BQmrbB5HLB2sdoSDxnQcWtB5fqB+0nUs7ou1CqD1o8D6WUu1e1zctMjHO V73jJx9k5DBAUOb786ufvS9hkYdZO4F6ujpFJzbDeBQ+E5Pr/YVznXhzEQXY2SE6 UXHI8+FmIpIjodRKX1vQFiuXPNNAKikKo60ImlskcYAS2ZNtZrFWIHm2A9oeiyOB ISYQ1zzTXtF1BjTQdIsHXP24GEwd2KIXNpttkVNeX4qvSFhMACM153Y211yEQwdH nJHqxcmb6Htod0XAvmlvVuv86hV8HJUvy9tIgtOEKTfQgRq69fMwwu5iFBCJCJfr Vt8SxBOJ54jEBAEBCAAuFiEE3Si95tmHXKvOSosd3M8NswvBBUgFAmB6A1EQHGFy bmVfYmFiQHdlYi5kZQAKCRDczw2zC8EFSHsXA/9oQRiNnMWORzjk44AtigUTDcCI p0To83Vxmg8CzQEVXLUeb+neAHH48MJjniIeZI5+u8ouQwSB7Dq6E9dF4MqWoXlk 7j3EmfujO0g0PD2MJHX0JsQgxzbiMnzxk/LoU/rVQ+22dRQAfndkziFDY0k/fDxG NCffkegKV6sMTjIXBg== =Wz2+ -----END PGP SIGNATURE----- --=-=-=--
bug-guix@HIDDEN:bug#47823; Package guix.
Full text available.Received: (at 47823) by debbugs.gnu.org; 16 Apr 2021 16:15:34 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri Apr 16 12:15:34 2021 Received: from localhost ([127.0.0.1]:41529 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lXR82-0008Jt-4I for submit <at> debbugs.gnu.org; Fri, 16 Apr 2021 12:15:34 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:37967) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <leo@HIDDEN>) id 1lXR80-0008Cr-HP for 47823 <at> debbugs.gnu.org; Fri, 16 Apr 2021 12:15:33 -0400 Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 49B3B5C008E; Fri, 16 Apr 2021 12:15:27 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute7.internal (MEProxy); Fri, 16 Apr 2021 12:15:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=Q6S0JEYOTWKWiMGqYW6EfpWD 9wwfmvk3JpO3+fRPAN8=; b=UuchNBsV+4cFX4Ioi5WEbqF62tnDDjMMF0kDskuL NkFAqFMjB6ELysGy0AyaR38pNOBUs0NCEYlfaVlRyyX1FlsNrHCBrcscaEnZOk/O eJ6T40mqqz+oCBAadbM521TCBV2G6CkKKhBJ1UydgJRjb3nM5iCXtbA0zuqRBd1R 1CQ= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=Q6S0JE YOTWKWiMGqYW6EfpWD9wwfmvk3JpO3+fRPAN8=; b=PvytflxkiG0qXx8TXtEIkB E8Pt7NCexCNXzVUm1eYh5OoNxvjcqYM6ah4kbW8A2ZKcfHbQ1vvz++MzGBHMWkz2 80lIp3cQZOA7kCD634ZO4aKw3rgsp6TO8nCEFaYXgdiXm6GNJ4RI4OJNv64Hd0Lt Or2LRW3p0CvKFuEA4lIPUBzYhCTqmG5HR5FEaD26fkQ9MTi+OYxsxAU3UZtLDz3D b0rwu7BLdh4EqC/nWOwL5Wow7A5Knx1F1/+sFQyxeMqF2ZU5pOV0Oa7ggWiLqVV1 kK9wy6YMP4jQFXrPOK8pPjpaVbfNhLDUXBgfwnWr1G9mWXHY+LvCJoj7ITJysU1g == X-ME-Sender: <xms:Hrh5YCXtXmTBo24gToyCpq05n4sZYfe6VXn6FxJVOTtOcR8YHkL8qQ> <xme:Hrh5YGOScC0IoTjmKxooerFmcgmI5xhlGIfxIxUqDv-YfyUMuILIaW8nzhMYMrk67 Rr2A7VWmUsfaqrnBw> X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudelhedguddtudcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfhfgggtuggjsehttd ertddttddvnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhl rghrihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpeeghfelieetgeeugedtiedugfdute efgefgkedukeegueegjeelgefhiedvtedvieenucffohhmrghinhephhgrrhguvghnihii vgdrtghomhdpshhslhhlrggsshdrtghomhenucfkphepuddttddruddurdduieelrdduud eknecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplhgv ohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: <xmx:Hrh5YEBBINgUgX131x5H8Z7Uk_brgQKC3r7Xn4d7afiIvJ0962eG2g> <xmx:Hrh5YDcG6DrgcpY4FxcjLl1Z81LOJWzZTYvdZaqYx_87Pazlc9XWYg> <xmx:Hrh5YDMt_WukChi-cHNz9XUpa0bf3HPku5Dijax9DALccwySW2q70A> <xmx:H7h5YIE3N5WoAjeJ4rpje3BlYHkclZ1w9yZx8zYiWVo28Jj-7baJJg> Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id C2C2B108006A; Fri, 16 Apr 2021 12:15:26 -0400 (EDT) Date: Fri, 16 Apr 2021 12:15:25 -0400 From: Leo Famulari <leo@HIDDEN> To: bo0od <bo0od@HIDDEN> Subject: Re: bug#47823: Hardenize Guix website TLS/DNS Message-ID: <YHm4HTDJwTfXFI3U@HIDDEN> References: <ee41c6c6-c080-7248-eed4-a8889d0b0a28@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <ee41c6c6-c080-7248-eed4-a8889d0b0a28@HIDDEN> X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47823 Cc: 47823 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote: > Scanning Guix website gave many missing security features which modern > security needs them to be available: > > * TLS and DNS: > > looking at: > > https://www.hardenize.com/report/guix.gnu.org/1618568751 > > https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org Thanks! > - DNS: DNSSEC support missing (important) Hm, is it important? My impression is that it's an idea whose time has passed without significant adoption. But maybe we could enable it if the costs are not too great. > - TLS 1.0 , 1.1 considered deprecated since 2020 Yes, we should disable these, assuming there is not significant traffic over them. > - Allow TLS 1.3 as it helps with ESNI whenever its ready by openssl Yes, we should enable this. > - Use only secure ciphers, disable old ciphers Yes. > - Force redirection of insecure connection with plain text to TLS > - HSTS/HSTS-preload support missing (important) Yes, we should enable these.
bug-guix@HIDDEN:bug#47823; Package guix.
Full text available.Received: (at submit) by debbugs.gnu.org; 16 Apr 2021 11:00:43 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri Apr 16 07:00:43 2021 Received: from localhost ([127.0.0.1]:40128 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lXMDH-0001mF-Lz for submit <at> debbugs.gnu.org; Fri, 16 Apr 2021 07:00:43 -0400 Received: from lists.gnu.org ([209.51.188.17]:55136) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <bo0od@HIDDEN>) id 1lXMDF-0001m7-JQ for submit <at> debbugs.gnu.org; Fri, 16 Apr 2021 07:00:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:59536) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <bo0od@HIDDEN>) id 1lXMDD-0000r1-Nq for bug-guix@HIDDEN; Fri, 16 Apr 2021 07:00:37 -0400 Received: from mx1.riseup.net ([198.252.153.129]:50132) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <bo0od@HIDDEN>) id 1lXMD2-00086x-J2 for bug-guix@HIDDEN; Fri, 16 Apr 2021 07:00:35 -0400 Received: from fews1.riseup.net (fews1-pn.riseup.net [10.0.1.83]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 4FMCsj4JbHzFr9n for <bug-guix@HIDDEN>; Fri, 16 Apr 2021 04:00:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1618570822; bh=O2BomZzkJYLytzED7+MFP5XYXMOkc8Z4xhJnV+M5ZGs=; h=To:From:Subject:Date:From; b=TT3tYpjk+5azP6zejI8xS28Lr/BB7kyc4O0cpzfzFxFr0CDTthNUYJi9l7eurfYAU jynqoobNkPbum8YktsuZhmjZzCgFJ7qu6BMPqtvCv7A5zoI/hfjtw5SPjdRaIMoHlC ZFD0KAo9U3yJyPQQEM7ckZ30wLdP9wv/rvn01Mwg= X-Riseup-User-ID: 229312936CEB70033316BA1D53419464D9B7BECDE2678775D84CCB5808A3368A Received: from [127.0.0.1] (localhost [127.0.0.1]) by fews1.riseup.net (Postfix) with ESMTPSA id 4FMCsh5f3Yz5vlJ for <bug-guix@HIDDEN>; Fri, 16 Apr 2021 04:00:08 -0700 (PDT) To: bug-guix@HIDDEN From: bo0od <bo0od@HIDDEN> Subject: Hardenize Guix website TLS/DNS Message-ID: <ee41c6c6-c080-7248-eed4-a8889d0b0a28@HIDDEN> Date: Fri, 16 Apr 2021 11:00:05 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=198.252.153.129; envelope-from=bo0od@HIDDEN; helo=mx1.riseup.net X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -2.4 (--) Hi There, Scanning Guix website gave many missing security features which modern security needs them to be available: * TLS and DNS: looking at: https://www.hardenize.com/report/guix.gnu.org/1618568751 https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org - DNS: DNSSEC support missing (important) - TLS 1.0 , 1.1 considered deprecated since 2020 - Allow TLS 1.3 as it helps with ESNI whenever its ready by openssl - Use only secure ciphers, disable old ciphers - Force redirection of insecure connection with plain text to TLS - HSTS/HSTS-preload support missing (important) * Web Application (Headers): I think its self explanatory: https://securityheaders.com/?q=https%3A%2F%2Fguix.gnu.org%2F&followRedirects=on ThX!
bo0od <bo0od@HIDDEN>:bug-guix@HIDDEN.
Full text available.bug-guix@HIDDEN:bug#47823; Package guix.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.