On Fri, Mar 27, 2015 at 03:33:15PM +0100, Hanno Böck wrote: > Right now a number of Gentoo webpages are by default served over http. > There is a growing trend to push more webpages to default to https, > mostly pushed by google. I think this is a good thing and I think > Gentoo should follow. Please read my one counter-argument below, as it's not one you refuted.
> Right now we seem to have a mix: ... > * Some with logins are mixed http/login-via-https, which makes them > vulnerable to ssl-stripping-attacks (e.g. wiki.gentoo.org) Are you sure about this? Everything on wiki should always redirect to SSL very early. > I'd propose the following: > * Make all pages under .gentoo.org https by default Enabled for the following sites now (copied from cfengine commit): files/etc/apache2/vhosts.d/sites/ads/01_ads.gentoo.org.conf | 6 ++++++ files/etc/apache2/vhosts.d/sites/api/api.gentoo.org.conf | 6 ++++++ files/etc/apache2/vhosts.d/sites/archives/30_archives.gentoo.org.conf | 6 ++++++ files/etc/apache2/vhosts.d/sites/blogs/35_blogs.gentoo.org.conf | 6 ++++++ files/etc/apache2/vhosts.d/sites/devmanual/35_devmanual.gentoo.org.conf | 6 ++++++ files/etc/apache2/vhosts.d/sites/forums/01_forums.gentoo.org.conf | 6 ++++++ files/etc/apache2/vhosts.d/sites/get/36_get.gentoo.org.conf | 6 ++++++ files/etc/apache2/vhosts.d/sites/infra-status/40_infra-status.gentoo.org.conf | 6 ++++++ files/etc/apache2/vhosts.d/sites/mirrorstats/20_mirrorstats.gentoo.org.conf | 6 ++++++ files/etc/apache2/vhosts.d/sites/packages/packages.gentoo.org.conf | 6 ++++++ files/etc/apache2/vhosts.d/sites/planet/40_planet.gentoo.org.conf | 6 ++++++ files/etc/apache2/vhosts.d/sites/qa-reports/36_qa-reports.gentoo.org.conf | 6 ++++++ files/etc/apache2/vhosts.d/sites/sources/30_sources.gentoo.org.conf | 6 ++++++ files/etc/apache2/vhosts.d/sites/www/www.gentoo.org.conf | 6 ++++++ 14 files changed, 84 insertions(+) > * Make sure all use modern HTTPS features, including: > * OCSP Stapling SSLUseStapling is Apache 2.3+ only, and that isn't stable yet. > * HSTS It's coming already, you can see it on security.gentoo.org. > * A secure collection of cipher suites What's wrong with our present Ciphers? https://www.ssllabs.com/ssltest/analyze.html?d=gentoo.org We have them configured per: https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ SSLProtocol ALL -SSLv2 -SSLv3 SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS SSLHonorCipherOrder on SSLCompression off > * (one may add HPKP here, but it requires careful planning and has the > potential to lock people out of the page if done wrong) Too risky at this point. > (On the long term I think it would also be good to have downloads over > https, but I'm aware that this is more difficult as it involves mirror > operators that are not under direct control of gentoo infrastructure.) This is why we published signatures on as much as we can. > As I know these discussions, I'll already answer to some > counter-arguments that may come up: Users behind firewalls that block HTTPS are now going to be blocked from Gentoo services. Last time we proposed going HTTPS-by-default, there was complaint from users that were going to be locked out. I've turned it on anyway now, and want them to come out of the woodwork to refute you that we're ready for HTTPS-by-default. > "Certificates are too expensive" > Gentoo already has certs for all pages, so this is not an argument > here, but if this ever becomes an issue there are a number of CAs these > days that issue free certs. In summer the community based CA Let's > encrypt will start which will be another option. We're still limited when it comes to services that need wildcards for the service. We have one such presently, and I hope we don't get more: Bugzilla, for attachments. (which are served at a different hostname that can't access your base bugzilla cookies even the attachment contains javascript that runs). -- Robin Hugh Johnson Gentoo Linux: Developer, Infrastructure Lead E-Mail : robb...@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
