bug#47823: Hardenize Guix website TLS/DNS

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#47823: Hardenize Guix website TLS/DNS

From:	Leo Famulari
Subject:	bug#47823: Hardenize Guix website TLS/DNS
Date:	Fri, 16 Apr 2021 12:15:25 -0400

On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
> Scanning Guix website gave many missing security features which modern
> security needs them to be available:
> 
> * TLS and DNS:
> 
> looking at:
> 
> https://www.hardenize.com/report/guix.gnu.org/1618568751
> 
> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org

Thanks!

> - DNS: DNSSEC support missing (important)

Hm, is it important? My impression is that it's an idea whose time has
passed without significant adoption.

But maybe we could enable it if the costs are not too great.

> - TLS 1.0 , 1.1 considered deprecated since 2020

Yes, we should disable these, assuming there is not significant traffic
over them.

> - Allow TLS 1.3 as it helps with ESNI whenever its ready by openssl

Yes, we should enable this.

> - Use only secure ciphers, disable old ciphers

Yes.

> - Force redirection of insecure connection with plain text to TLS
> - HSTS/HSTS-preload support missing (important)

Yes, we should enable these.

[Prev in Thread]

Current Thread

[Next in Thread]

bug#47823: Hardenize Guix website TLS/DNS, bo0od, 2021/04/16
- bug#47823: Hardenize Guix website TLS/DNS, Leo Famulari <=
  - bug#47823: Hardenize Guix website TLS/DNS, Dr. Arne Babenhauserheide, 2021/04/16
  - bug#47823: Hardenize Guix website TLS/DNS, Julien Lepiller, 2021/04/16

Prev by Date: bug#47791: util-linux fails to build on the Hurd (some tests fail)
Next by Date: bug#47660: Add link to the ticket when someone reply
Previous by thread: bug#47823: Hardenize Guix website TLS/DNS
Next by thread: bug#47823: Hardenize Guix website TLS/DNS
Index(es):
- Date
- Thread