On Mon, Sep 19, 2016 at 12:30:03PM +0200, Hanno Böck wrote:
> *The code repositories*
> 
> Now all of the above can be aleviated a bit if a user carefully uses
> https all the time manually or uses a plugin like https everywhere. But
> even more worrying is that there is no way to access the savannah git
> repositories in a secure way for anonymous users.
> 
> If you look at a repository site like this:
> http://savannah.gnu.org/git/?group=patch
> 
> There are two ways to clone the repo: Over the git:// protocol, which
> is plaintext and insecure, and over ssh, which is only available if you
> have a savannah account and are a member of that project. Therefore for
> all people that are not part of a project there is no secure way of
> getting the git code.
> 
> 
> 
> I think for these two reasons one cannot argue that savannah supports
> HTTPS "properly and securely".
> 
> I don't know if people operating savannah read this, but I'd recommend
> these changes:
> * Remove the nonsensical login option and make security the default.
> * Redirect all http queries to https.
> * Set an HSTS header to avoid accidental http access.
> * Create an anonymous git checkout option over HTTPS.

I have reported this issue to GNU webmasters three months ago, who said
to forward this to the Savannah team. Nothing has happened so far.

There used to be "includeSubDomains" directive in gnu.org (root), but it
was broken in regards to Savannah and removed.

I have attached the whole email conversation with GNU webmasters. The
incorrect use of terms from GNU's side does not make me very
confident...

> 
> Until these issues have been resolved I think savannah should no longer
> be called an ethical code hosting option.

Agreed, and I have criticized issues similar to this before on this
list.
>From w...@partyvan.eu Thu Jul 14 06:13:58 2016
Date: Thu, 14 Jul 2016 06:13:58 +0000
From: Juuso Lapinlampi <w...@partyvan.eu>
To: webmas...@gnu.org
Cc: webmast...@gnu.org
Subject: HSTS policy on gnu.org prevents loading *.savannah.gnu.org
Message-ID: <20160714061358.ga31...@partyvan.eu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.24 (2015-08-30)
Status: RO
Content-Length: 473
Lines: 16

gnu.org enforces a HSTS policy with includeSubDomains.

The following subdomains however do not support HTTPS:

    git.savannah.gnu.org
    vcs.savannah.gnu.org
    bzr.savannah.gnu.org

It is thus not possible to browse the source code in HSTS-enforcing
user-agents. savannah.gnu.org links to these subdomains with "browse
source repository".

Please apply one of the following fixes:

1. Add HTTPS support to *.savannah.gnu.org; or
2. Modify the HSTS policy on gnu.org.

>From rtboun...@gnu.org Thu Jul 14 17:17:49 2016
Return-Path: rtboun...@gnu.org
Delivered-To: w...@partyvan.eu
Received: from rt.gnu.org (rt.gnu.org [74.94.156.213])
        by mail.partyvan.eu (OpenSMTPD) with ESMTPS id 69378bb0
        TLS version=TLSv1 cipher=AES256-SHA bits=256 verify=NO
        for <w...@partyvan.eu>;
        Thu, 14 Jul 2016 17:17:49 +0000 (UTC)
Received: from www-data by rt.gnu.org with local (Exim 4.69)
        (envelope-from <www-d...@gnu.org>)
        id 1bNkGg-0001TS-8h
        for w...@partyvan.eu; Thu, 14 Jul 2016 13:17:46 -0400
Subject: [gnu.org #1127678] HSTS policy on gnu.org prevents loading 
*.savannah.gnu.org 
From: "Lisa Maginnis via RT" <sysad...@gnu.org>
Reply-To: sysad...@gnu.org
In-Reply-To: <20160714061358.ga31...@partyvan.eu>
References: <rt-ticket-1127...@rt.gnu.org> <20160714061358.ga31...@partyvan.eu>
Message-ID: <rt-3.4.5-3992-1468516665-1972.1127678-...@rt.gnu.org>
Precedence: bulk
X-RT-Loop-Prevention: gnu.org
RT-Ticket: gnu.org #1127678
Managed-by: RT 3.4.5 (http://www.bestpractical.com/rt/)
RT-Originator: li...@fsf.org
To: w...@partyvan.eu
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-RT-Original-Encoding: utf-8
Date: Thu, 14 Jul 2016 13:17:46 -0400
Status: RO
X-Status: A
Content-Length: 511
Lines: 21

Hello,

Thank you for this report. I have removed the `subdomain' directive from
our HSTS header on gnu.org. This should resolve the issue for you
(pending clearing your browser cache in some cases). 

In the mean time I have also contacted the Savannah team about
configuring SSL the domains you listed.

Thanks & Happy hackingz,

-- 
~Lisa Marie Maginnis
Senior System Administrator
Free Software Foundation
http://fsf.org http://gnu.org
GPG Key: 61EEC710

Support our infrastructure!
https://donate.fsf.org


>From w...@partyvan.eu Thu Jul 14 17:31:01 2016
Date: Thu, 14 Jul 2016 17:31:01 +0000
From: Juuso Lapinlampi <w...@partyvan.eu>
To: Lisa Maginnis via RT <sysad...@gnu.org>
Subject: Re: [gnu.org #1127678] HSTS policy on gnu.org prevents loading
 *.savannah.gnu.org
Message-ID: <20160714173101.ga23...@partyvan.eu>
References: <rt-ticket-1127...@rt.gnu.org>
 <20160714061358.ga31...@partyvan.eu>
 <rt-3.4.5-3992-1468516665-1972.1127678-...@rt.gnu.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <rt-3.4.5-3992-1468516665-1972.1127678-...@rt.gnu.org>
User-Agent: Mutt/1.5.24 (2015-08-30)
Status: RO
Content-Length: 293
Lines: 6

On Thu, Jul 14, 2016 at 01:17:46PM -0400, Lisa Maginnis via RT wrote:
> In the mean time I have also contacted the Savannah team about
> configuring SSL the domains you listed.

All versions of SSL are considered insecure: please do not use them.
TLS1.0+ is still considered to be reasonable.

>From rtboun...@gnu.org Thu Jul 14 17:38:52 2016
Return-Path: rtboun...@gnu.org
Delivered-To: w...@partyvan.eu
Received: from rt.gnu.org (rt.gnu.org [74.94.156.213])
        by mail.partyvan.eu (OpenSMTPD) with ESMTPS id 5372322e
        TLS version=TLSv1 cipher=AES256-SHA bits=256 verify=NO
        for <w...@partyvan.eu>;
        Thu, 14 Jul 2016 17:38:52 +0000 (UTC)
Received: from www-data by rt.gnu.org with local (Exim 4.69)
        (envelope-from <www-d...@gnu.org>)
        id 1bNkb3-0001xm-MU
        for w...@partyvan.eu; Thu, 14 Jul 2016 13:38:49 -0400
Subject: [gnu.org #1127678] HSTS policy on gnu.org prevents loading 
*.savannah.gnu.org 
From: "Lisa Maginnis via RT" <sysad...@gnu.org>
Reply-To: sysad...@gnu.org
In-Reply-To: <rt-3.4.5-6160-1468517476-662.1127678-...@rt.gnu.org>
References: <rt-ticket-1127...@rt.gnu.org> <20160714061358.ga31...@partyvan.eu> 
<rt-3.4.5-3992-1468516665-1972.1127678-...@rt.gnu.org> 
<20160714173101.ga23...@partyvan.eu> 
<rt-3.4.5-6160-1468517476-662.1127678-...@rt.gnu.org>
Message-ID: <rt-3.4.5-7140-1468517929-731.1127678-...@rt.gnu.org>
Precedence: bulk
X-RT-Loop-Prevention: gnu.org
RT-Ticket: gnu.org #1127678
Managed-by: RT 3.4.5 (http://www.bestpractical.com/rt/)
RT-Originator: li...@fsf.org
To: w...@partyvan.eu
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-RT-Original-Encoding: utf-8
Date: Thu, 14 Jul 2016 13:38:49 -0400
Status: RO
Content-Length: 776
Lines: 24

> On Thu, Jul 14, 2016 at 01:17:46PM -0400, Lisa Maginnis via RT wrote:
> > In the mean time I have also contacted the Savannah team about
> > configuring SSL the domains you listed.
> 
> All versions of SSL are considered insecure: please do not use them.
> TLS1.0+ is still considered to be reasonable.

In this case I meant TLS1.0+, the FSF has a strict no SSLv2 or SSLv3
policy for hosting HTTPS. Since the exploits BEAST (CVE-2011-3389) and
POODLE (CVE-2014-3566) have rendered SSLv2 and SSLv3 obsolete, a lot of
people still use the word SSL while meaning TLS.

Thank you for your concern,

-- 
~Lisa Marie Maginnis
Senior System Administrator
Free Software Foundation
http://fsf.org http://gnu.org
GPG Key: 61EEC710

Support our infrastructure!
https://donate.fsf.org


Reply via email to