-------- Original Message --------
Subject: Re: [website] Suggestion to start using HTTPS
Date: 2018-09-05 04:02
From: DJ Lucas <[email protected]>
To: renodr <[email protected]>
Reply-To: [email protected]
On 09/04/2018 04:08 PM, renodr wrote:
On 2018-09-04 15:05, eah2119 wrote:
The website ought to be using HTTPS to help protect its users against
man-in-the-middle attacks. I think this is especially important when
you're distributing a list of software package URLs
(http://www.linuxfromscratch.org/lfs/view/stable/wget-list). The list
itself should go over HTTPS and each listed software package should be
downloaded through HTTPS or some other secure protocol if possible.
Let's Encrypt is a free certificate authority you can use to enable
HTTPS on your site.
Cheers,
Evan
I believe DJ Lucas was working on some sort of proposal for this.
DJ, can you chime in?
I'm not subbed, but feel free to forward to the list.
Need to do just a bit of work and schedule a little down time to test.
Gerard would likely be the best to handle it since he knows higgs much
better than I, and has done these setups many more times.
The httpd configs are already written. It's been a bit since I wrote
them, cut cipher list, HSTS is enforced, both standard and EC certs,
etc. It should net us at least an A (but most likely an A+) as is on the
Qualys SSL test. Just have to be certain that the HSTS setups don't
break anything (or take a small score hit for not having it - just
disable the line for HSTS and 80 will work as before if there are any
problems).
Last attempt, I tried to use acme.sh with http verification which would
fail repeatedly on a random host. It looked like maybe there was some
caching proxy/accelerator in front of higgs, but I didn't bother digging
in too much at the time because I had already exceeded my downtime
request. Given that we are on the DNS server, our best method is
probably to do a single wildcard certificate. See this article for
complete instructions using acme.sh (no additional dependencies and uses
an alias domain for the dynamic update to limit any potential exposure
(which there wouldn't be anyway, but JIC)):
http://strugglers.net/~andy/blog/2018/03/19/lets-encrypt-wildcard-certificates-acme-sh-and-automated-dns-verification/
--DJ
--
http://lists.linuxfromscratch.org/listinfo/website
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
