On Fri, 27 Mar 2015 19:18:24 +0000 "Robin H. Johnson" <robb...@gentoo.org> wrote:
> > * Some with logins are mixed http/login-via-https, which makes them > > vulnerable to ssl-stripping-attacks (e.g. wiki.gentoo.org) > Are you sure about this? Everything on wiki should always redirect to > SSL very early. Sure about what? When I call the wiki page I currently get: http://wiki.gentoo.org/wiki/Main_Page Clicking on login will redirect to https, but at that point an attacker is already able to change this link. > Enabled for the following sites now (copied from cfengine commit): Great. (However I don't see that yet live - server restart needed or is there some deployment process that has to happen first?) > > * Make sure all use modern HTTPS features, including: > > * OCSP Stapling > SSLUseStapling is Apache 2.3+ only, and that isn't stable yet. That's unfortunate, apache 2.2 is pretty outdated when it comes to tls security. > > * A secure collection of cipher suites > What's wrong with our present Ciphers? Haven't checked them in detail, looks mostly fine. One issue: DH ciphers with a small modulus (1024 bit). But that's unfixable within apache 2.2, so same as above. > > (On the long term I think it would also be good to have downloads > > over https, but I'm aware that this is more difficult as it > > involves mirror operators that are not under direct control of > > gentoo infrastructure.) > This is why we published signatures on as much as we can. Yes, signatures are fine, but realistically they require manual intervention and not everyone will do that. Defaulting to https is a very usable way to make malicious downloads less likely. Signatures should stay as an additional protection measure. > Users behind firewalls that block HTTPS are now going to be blocked > from Gentoo services. > > Last time we proposed going HTTPS-by-default, there was complaint > from users that were going to be locked out. I would be very surprised if this is an issue any more. These days pretty much all big players use https only (google, facebook, twitter, github, ...). You can't really use the mainstream internet if your firewall blocks https. > We're still limited when it comes to services that need wildcards for > the service. We have one such presently, and I hope we don't get more: > Bugzilla, for attachments. (which are served at a different hostname > that can't access your base bugzilla cookies even the attachment > contains javascript that runs). I have hopes that Let's encrypt will also allow free wildcards, but that seems to be undecided yet. But wildcards aren't super-expensive. One can e.g. get a validation by startssl for an unlimited number of wildcards for a year, I don't remember the exact price but it was in the 100-200$ range. cu, -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42
