| 1 |
On Fri, Mar 27, 2015 at 03:33:15PM +0100, Hanno Böck wrote: |
| 2 |
> Right now a number of Gentoo webpages are by default served over http. |
| 3 |
> There is a growing trend to push more webpages to default to https, |
| 4 |
> mostly pushed by google. I think this is a good thing and I think |
| 5 |
> Gentoo should follow. |
| 6 |
Please read my one counter-argument below, as it's not one you refuted. |
| 7 |
|
| 8 |
> Right now we seem to have a mix: |
| 9 |
... |
| 10 |
> * Some with logins are mixed http/login-via-https, which makes them |
| 11 |
> vulnerable to ssl-stripping-attacks (e.g. wiki.gentoo.org) |
| 12 |
Are you sure about this? Everything on wiki should always redirect to SSL very early. |
| 13 |
|
| 14 |
> I'd propose the following: |
| 15 |
> * Make all pages under .gentoo.org https by default |
| 16 |
Enabled for the following sites now (copied from cfengine commit): |
| 17 |
files/etc/apache2/vhosts.d/sites/ads/01_ads.gentoo.org.conf | 6 ++++++ |
| 18 |
files/etc/apache2/vhosts.d/sites/api/api.gentoo.org.conf | 6 ++++++ |
| 19 |
files/etc/apache2/vhosts.d/sites/archives/30_archives.gentoo.org.conf | 6 ++++++ |
| 20 |
files/etc/apache2/vhosts.d/sites/blogs/35_blogs.gentoo.org.conf | 6 ++++++ |
| 21 |
files/etc/apache2/vhosts.d/sites/devmanual/35_devmanual.gentoo.org.conf | 6 ++++++ |
| 22 |
files/etc/apache2/vhosts.d/sites/forums/01_forums.gentoo.org.conf | 6 ++++++ |
| 23 |
files/etc/apache2/vhosts.d/sites/get/36_get.gentoo.org.conf | 6 ++++++ |
| 24 |
files/etc/apache2/vhosts.d/sites/infra-status/40_infra-status.gentoo.org.conf | 6 ++++++ |
| 25 |
files/etc/apache2/vhosts.d/sites/mirrorstats/20_mirrorstats.gentoo.org.conf | 6 ++++++ |
| 26 |
files/etc/apache2/vhosts.d/sites/packages/packages.gentoo.org.conf | 6 ++++++ |
| 27 |
files/etc/apache2/vhosts.d/sites/planet/40_planet.gentoo.org.conf | 6 ++++++ |
| 28 |
files/etc/apache2/vhosts.d/sites/qa-reports/36_qa-reports.gentoo.org.conf | 6 ++++++ |
| 29 |
files/etc/apache2/vhosts.d/sites/sources/30_sources.gentoo.org.conf | 6 ++++++ |
| 30 |
files/etc/apache2/vhosts.d/sites/www/www.gentoo.org.conf | 6 ++++++ |
| 31 |
14 files changed, 84 insertions(+) |
| 32 |
|
| 33 |
> * Make sure all use modern HTTPS features, including: |
| 34 |
> * OCSP Stapling |
| 35 |
SSLUseStapling is Apache 2.3+ only, and that isn't stable yet. |
| 36 |
|
| 37 |
> * HSTS |
| 38 |
It's coming already, you can see it on security.gentoo.org. |
| 39 |
|
| 40 |
> * A secure collection of cipher suites |
| 41 |
What's wrong with our present Ciphers? |
| 42 |
https://www.ssllabs.com/ssltest/analyze.html?d=gentoo.org |
| 43 |
We have them configured per: |
| 44 |
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
| 45 |
SSLProtocol ALL -SSLv2 -SSLv3 |
| 46 |
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS |
| 47 |
SSLHonorCipherOrder on |
| 48 |
SSLCompression off |
| 49 |
|
| 50 |
> * (one may add HPKP here, but it requires careful planning and has the |
| 51 |
> potential to lock people out of the page if done wrong) |
| 52 |
Too risky at this point. |
| 53 |
|
| 54 |
> (On the long term I think it would also be good to have downloads over |
| 55 |
> https, but I'm aware that this is more difficult as it involves mirror |
| 56 |
> operators that are not under direct control of gentoo infrastructure.) |
| 57 |
This is why we published signatures on as much as we can. |
| 58 |
|
| 59 |
> As I know these discussions, I'll already answer to some |
| 60 |
> counter-arguments that may come up: |
| 61 |
Users behind firewalls that block HTTPS are now going to be blocked from Gentoo |
| 62 |
services. |
| 63 |
|
| 64 |
Last time we proposed going HTTPS-by-default, there was complaint from users |
| 65 |
that were going to be locked out. |
| 66 |
|
| 67 |
I've turned it on anyway now, and want them to come out of the woodwork to |
| 68 |
refute you that we're ready for HTTPS-by-default. |
| 69 |
|
| 70 |
> "Certificates are too expensive" |
| 71 |
> Gentoo already has certs for all pages, so this is not an argument |
| 72 |
> here, but if this ever becomes an issue there are a number of CAs these |
| 73 |
> days that issue free certs. In summer the community based CA Let's |
| 74 |
> encrypt will start which will be another option. |
| 75 |
We're still limited when it comes to services that need wildcards for the |
| 76 |
service. We have one such presently, and I hope we don't get more: |
| 77 |
Bugzilla, for attachments. (which are served at a different hostname that can't |
| 78 |
access your base bugzilla cookies even the attachment contains javascript that |
| 79 |
runs). |
| 80 |
|
| 81 |
-- |
| 82 |
Robin Hugh Johnson |
| 83 |
Gentoo Linux: Developer, Infrastructure Lead |
| 84 |
E-Mail : robbat2@g.o |
| 85 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
Archives