On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote: > Scanning Guix website gave many missing security features which modern > security needs them to be available: > > * TLS and DNS: > > looking at: > > https://www.hardenize.com/report/guix.gnu.org/1618568751 > > https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
Thanks! > - DNS: DNSSEC support missing (important) Hm, is it important? My impression is that it's an idea whose time has passed without significant adoption. But maybe we could enable it if the costs are not too great. > - TLS 1.0 , 1.1 considered deprecated since 2020 Yes, we should disable these, assuming there is not significant traffic over them. > - Allow TLS 1.3 as it helps with ESNI whenever its ready by openssl Yes, we should enable this. > - Use only secure ciphers, disable old ciphers Yes. > - Force redirection of insecure connection with plain text to TLS > - HSTS/HSTS-preload support missing (important) Yes, we should enable these.
