1 |
On Fri, Mar 27, 2015 at 03:33:15PM +0100, Hanno Böck wrote: |
2 |
> Right now a number of Gentoo webpages are by default served over http. |
3 |
> There is a growing trend to push more webpages to default to https, |
4 |
> mostly pushed by google. I think this is a good thing and I think |
5 |
> Gentoo should follow. |
6 |
Please read my one counter-argument below, as it's not one you refuted. |
7 |
|
8 |
> Right now we seem to have a mix: |
9 |
... |
10 |
> * Some with logins are mixed http/login-via-https, which makes them |
11 |
> vulnerable to ssl-stripping-attacks (e.g. wiki.gentoo.org) |
12 |
Are you sure about this? Everything on wiki should always redirect to SSL very early. |
13 |
|
14 |
> I'd propose the following: |
15 |
> * Make all pages under .gentoo.org https by default |
16 |
Enabled for the following sites now (copied from cfengine commit): |
17 |
files/etc/apache2/vhosts.d/sites/ads/01_ads.gentoo.org.conf | 6 ++++++ |
18 |
files/etc/apache2/vhosts.d/sites/api/api.gentoo.org.conf | 6 ++++++ |
19 |
files/etc/apache2/vhosts.d/sites/archives/30_archives.gentoo.org.conf | 6 ++++++ |
20 |
files/etc/apache2/vhosts.d/sites/blogs/35_blogs.gentoo.org.conf | 6 ++++++ |
21 |
files/etc/apache2/vhosts.d/sites/devmanual/35_devmanual.gentoo.org.conf | 6 ++++++ |
22 |
files/etc/apache2/vhosts.d/sites/forums/01_forums.gentoo.org.conf | 6 ++++++ |
23 |
files/etc/apache2/vhosts.d/sites/get/36_get.gentoo.org.conf | 6 ++++++ |
24 |
files/etc/apache2/vhosts.d/sites/infra-status/40_infra-status.gentoo.org.conf | 6 ++++++ |
25 |
files/etc/apache2/vhosts.d/sites/mirrorstats/20_mirrorstats.gentoo.org.conf | 6 ++++++ |
26 |
files/etc/apache2/vhosts.d/sites/packages/packages.gentoo.org.conf | 6 ++++++ |
27 |
files/etc/apache2/vhosts.d/sites/planet/40_planet.gentoo.org.conf | 6 ++++++ |
28 |
files/etc/apache2/vhosts.d/sites/qa-reports/36_qa-reports.gentoo.org.conf | 6 ++++++ |
29 |
files/etc/apache2/vhosts.d/sites/sources/30_sources.gentoo.org.conf | 6 ++++++ |
30 |
files/etc/apache2/vhosts.d/sites/www/www.gentoo.org.conf | 6 ++++++ |
31 |
14 files changed, 84 insertions(+) |
32 |
|
33 |
> * Make sure all use modern HTTPS features, including: |
34 |
> * OCSP Stapling |
35 |
SSLUseStapling is Apache 2.3+ only, and that isn't stable yet. |
36 |
|
37 |
> * HSTS |
38 |
It's coming already, you can see it on security.gentoo.org. |
39 |
|
40 |
> * A secure collection of cipher suites |
41 |
What's wrong with our present Ciphers? |
42 |
https://www.ssllabs.com/ssltest/analyze.html?d=gentoo.org |
43 |
We have them configured per: |
44 |
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
45 |
SSLProtocol ALL -SSLv2 -SSLv3 |
46 |
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS |
47 |
SSLHonorCipherOrder on |
48 |
SSLCompression off |
49 |
|
50 |
> * (one may add HPKP here, but it requires careful planning and has the |
51 |
> potential to lock people out of the page if done wrong) |
52 |
Too risky at this point. |
53 |
|
54 |
> (On the long term I think it would also be good to have downloads over |
55 |
> https, but I'm aware that this is more difficult as it involves mirror |
56 |
> operators that are not under direct control of gentoo infrastructure.) |
57 |
This is why we published signatures on as much as we can. |
58 |
|
59 |
> As I know these discussions, I'll already answer to some |
60 |
> counter-arguments that may come up: |
61 |
Users behind firewalls that block HTTPS are now going to be blocked from Gentoo |
62 |
services. |
63 |
|
64 |
Last time we proposed going HTTPS-by-default, there was complaint from users |
65 |
that were going to be locked out. |
66 |
|
67 |
I've turned it on anyway now, and want them to come out of the woodwork to |
68 |
refute you that we're ready for HTTPS-by-default. |
69 |
|
70 |
> "Certificates are too expensive" |
71 |
> Gentoo already has certs for all pages, so this is not an argument |
72 |
> here, but if this ever becomes an issue there are a number of CAs these |
73 |
> days that issue free certs. In summer the community based CA Let's |
74 |
> encrypt will start which will be another option. |
75 |
We're still limited when it comes to services that need wildcards for the |
76 |
service. We have one such presently, and I hope we don't get more: |
77 |
Bugzilla, for attachments. (which are served at a different hostname that can't |
78 |
access your base bugzilla cookies even the attachment contains javascript that |
79 |
runs). |
80 |
|
81 |
-- |
82 |
Robin Hugh Johnson |
83 |
Gentoo Linux: Developer, Infrastructure Lead |
84 |
E-Mail : robbat2@g.o |
85 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |