Re: [gentoo-dev] Should Gentoo do https by default?
On Mon, Mar 30, 2015 at 8:58 PM, Dean Stephens desult...@gentoo.org wrote: On 03/27/15 15:29, Hanno Böck wrote: These days pretty much all big players use https only (google, facebook, twitter, github, ...). You can't really use the mainstream internet if your firewall blocks https. Can we please stop making stuff up[1] just to make an argument seem stronger to the overly credulous? I agree his argument is bogus (plenty of the internet is http) but relying on undocumented query arguments to prevent ssl redirection is...not really the example I'd chose to use to illustrate the point. [1] http://www.google.com/search?q=this+is+not+impossiblegws_rd=ssl
Re: [gentoo-dev] Should Gentoo do https by default?
On 03/27/15 15:29, Hanno Böck wrote: These days pretty much all big players use https only (google, facebook, twitter, github, ...). You can't really use the mainstream internet if your firewall blocks https. Can we please stop making stuff up[1] just to make an argument seem stronger to the overly credulous? [1] http://www.google.com/search?q=this+is+not+impossiblegws_rd=ssl
Re: [gentoo-dev] Should Gentoo do https by default?
Dnia 2015-03-27, o godz. 15:33:15 Hanno Böck ha...@gentoo.org napisał(a): I think defaulting the net to HTTPS is a big step for more security and I think Gentoo should join the trend here. While I don't mind this entirely, we need to make sure to get things right. For example, I'm quite unhappy being unable to use Forums or sources.g.o from my phone because of some SSL issues… Do you really believe serving content insecurely is worse than serving no content at all? -- Best regards, Michał Górny pgpzn579fMX37.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] Should Gentoo do https by default?
Dnia 2015-03-29, o godz. 18:50:17 Hanno Böck ha...@gentoo.org napisał(a): On Sun, 29 Mar 2015 16:46:05 +0200 Michał Górny mgo...@gentoo.org wrote: While I don't mind this entirely, we need to make sure to get things right. For example, I'm quite unhappy being unable to use Forums or sources.g.o from my phone because of some SSL issues… Can you be more specific on that? Of course if there are problems we should fix them - and I'm glad to help in analyzing those. (However there are some unfortunate issues that are hard to fix, e.g. some devices relying on broken protocols like sslv3 - but I think these should be rare) What phone? Should we move such issues to bugzilla? (cc me if you open a bug) Xperia X10 Mini, with ancient Android 2.1. bugs.gentoo.org works, though it complains about hostname mismatch (I guess it doesn't handle wildcard certs or sth). forums.gentoo.org, sources.gentoo.org it first complains about untrusted issuer, and after telling it to configure tries a bit more and gives 'Unable to connect to server, try again later.' -- Best regards, Michał Górny pgpJMrdIriBa1.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] Should Gentoo do https by default?
On Sun, 29 Mar 2015 19:23:51 +0200 Michał Górny mgo...@gentoo.org wrote: Xperia X10 Mini, with ancient Android 2.1. bugs.gentoo.org works, though it complains about hostname mismatch (I guess it doesn't handle wildcard certs or sth). Not exactly, it can't handle servers with more than one SSL certificate per IP. A wildcard certificate probably would work. Android 2.3 (Gingerbread) is the last release and probably the only OS of any significant concern to not support SNI at all. Even XP does with certain browsers. I know that particular phone and to be fair, it's pretty poor. That 240x320 screen surely hurts your eyes. ;) You could probably pick up something better for nothing. That phone can also be rooted quite easily (I've done it) and then flashed with something more recent. -- James Le Cuirot (chewi) Gentoo Linux Developer pgpnCRFXGIzBb.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] Should Gentoo do https by default?
On Sun, 29 Mar 2015 16:46:05 +0200 Michał Górny mgo...@gentoo.org wrote: While I don't mind this entirely, we need to make sure to get things right. For example, I'm quite unhappy being unable to use Forums or sources.g.o from my phone because of some SSL issues… Can you be more specific on that? Of course if there are problems we should fix them - and I'm glad to help in analyzing those. (However there are some unfortunate issues that are hard to fix, e.g. some devices relying on broken protocols like sslv3 - but I think these should be rare) What phone? Should we move such issues to bugzilla? (cc me if you open a bug) -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 pgpyyxhG77Xma.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] Should Gentoo do https by default?
On 27.03.2015 15:33, Hanno Böck wrote: I think defaulting the net to HTTPS is a big step for more security and I think Gentoo should join the trend here. Yes please! Sebastian
Re: [gentoo-dev] Should Gentoo do https by default?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 +1 for everything. - -- Alexander berna...@gentoo.org https://secure.plaimi.net/~alexander -BEGIN PGP SIGNATURE- Version: GnuPG v2 iF4EAREIAAYFAlUWwDgACgkQRtClrXBQc7XyRQEAh2fJrr9aW9kLLa+a4hmwOT80 2ucx01RUq2IGmm9P7kMA/2o/rh46QX8xrAn5lbHtjqcy3y8NjW2gKsrg9QYATrHy =Uddl -END PGP SIGNATURE-
Re: [gentoo-dev] Should Gentoo do https by default?
Just my 5c: On Fri, 27 Mar 2015 19:18:24 + Robin H. Johnson robb...@gentoo.org wrote: * Make sure all use modern HTTPS features, including: * OCSP Stapling SSLUseStapling is Apache 2.3+ only, and that isn't stable yet. You can always set up Nginx, if not instead, but at least in front of the Apache and hand over SSL handling to it.
[gentoo-dev] Should Gentoo do https by default?
Hi, Right now a number of Gentoo webpages are by default served over http. There is a growing trend to push more webpages to default to https, mostly pushed by google. I think this is a good thing and I think Gentoo should follow. Right now we seem to have a mix: * A number of webpages default to http and have optional https (www.gentoo.org) * Some with sensitive logins are already https by default (e.g. bugs.gentoo.org), but they don't use hsts, which they should * Some with logins are mixed http/login-via-https, which makes them vulnerable to ssl-stripping-attacks (e.g. wiki.gentoo.org) I'd propose the following: * Make all pages under .gentoo.org https by default * Make sure all use modern HTTPS features, including: * OCSP Stapling * HSTS * A secure collection of cipher suites * (one may add HPKP here, but it requires careful planning and has the potential to lock people out of the page if done wrong) (On the long term I think it would also be good to have downloads over https, but I'm aware that this is more difficult as it involves mirror operators that are not under direct control of gentoo infrastructure.) As I know these discussions, I'll already answer to some counter-arguments that may come up: It's not neccessary to do https on pages without logins These kinds of arguments show a fundamental misunderstanding of what https does. It guarantees confidentiality *and* integrity. In short, it protects content not only from observation, but also from manipulation, which is always a good thing. A very practical example is that on some networks foreign ads get injected into other peoples webpages. Makes things slower / servers can't handle it The performance costs for TLS on a server are often vastly overstatet. The performance hit on servers doing https is very close to zero, it just doesn't matter much. There are some latency problems for connections, but these can mostly be wiped out by a sane configuration of the server. If http/2 is used one can even improve the performance with https. Certificates are too expensive Gentoo already has certs for all pages, so this is not an argument here, but if this ever becomes an issue there are a number of CAs these days that issue free certs. In summer the community based CA Let's encrypt will start which will be another option. CAs are bad and the whole system is broken Partly true, but it doesn't get any better if people stick to HTTP. Many problems of the CA system can be mitigated by modern technologies like Key Pinning and Certificate Transparency. I think defaulting the net to HTTPS is a big step for more security and I think Gentoo should join the trend here. cu, -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42
Re: [gentoo-dev] Should Gentoo do https by default?
Hi, Hanno Böck wrote: Right now a number of Gentoo webpages are by default served over http. There is a growing trend to push more webpages to default to https, mostly pushed by google. I think this is a good thing and I think Gentoo should follow. +1 Right now we seem to have a mix: * A number of webpages default to http and have optional https (www.gentoo.org) * Some with sensitive logins are already https by default (e.g. bugs.gentoo.org), but they don't use hsts, which they should * Some with logins are mixed http/login-via-https, which makes them vulnerable to ssl-stripping-attacks (e.g. wiki.gentoo.org) Don't forget the forum (http://forums.gentoo.org/). Even if you connect to https://forums.gentoo.org/ it will always fall back to HTTP. Also all the mail notifications will send you to the HTTP version... -Thomas
Re: [gentoo-dev] Should Gentoo do https by default?
TL;DR: Yes! * Hanno Böck schrieb am 27.03.15 um 15:33 Uhr: Hi, Right now a number of Gentoo webpages are by default served over http. There is a growing trend to push more webpages to default to https, mostly pushed by google. I think this is a good thing and I think Gentoo should follow. Right now we seem to have a mix: * A number of webpages default to http and have optional https (www.gentoo.org) * Some with sensitive logins are already https by default (e.g. bugs.gentoo.org), but they don't use hsts, which they should * Some with logins are mixed http/login-via-https, which makes them vulnerable to ssl-stripping-attacks (e.g. wiki.gentoo.org) I'd propose the following: * Make all pages under .gentoo.org https by default * Make sure all use modern HTTPS features, including: * OCSP Stapling * HSTS * A secure collection of cipher suites - bettercrypro.org * (one may add HPKP here, but it requires careful planning and has the potential to lock people out of the page if done wrong) (On the long term I think it would also be good to have downloads over https, but I'm aware that this is more difficult as it involves mirror operators that are not under direct control of gentoo infrastructure.) +1 As I know these discussions, I'll already answer to some counter-arguments that may come up: It's not neccessary to do https on pages without logins These kinds of arguments show a fundamental misunderstanding of what https does. It guarantees confidentiality *and* integrity. In short, it protects content not only from observation, but also from manipulation, which is always a good thing. A very practical example is that on some networks foreign ads get injected into other peoples webpages. ack Makes things slower / servers can't handle it The performance costs for TLS on a server are often vastly overstatet. The performance hit on servers doing https is very close to zero, it just doesn't matter much. There are some latency problems for connections, but these can mostly be wiped out by a sane configuration of the server. If http/2 is used one can even improve the performance with https. And often a too slow /dev/random is the cuplrit which can be fixed by using haveged. Certificates are too expensive Gentoo already has certs for all pages, so this is not an argument here, but if this ever becomes an issue there are a number of CAs these days that issue free certs. In summer the community based CA Let's encrypt will start which will be another option. Or CAs which offer a Cert Flatrate for a small fee per year like StartSSL.com CAs are bad and the whole system is broken Partly true, but it doesn't get any better if people stick to HTTP. Many problems of the CA system can be mitigated by modern technologies like Key Pinning and Certificate Transparency. I think defaulting the net to HTTPS is a big step for more security and I think Gentoo should join the trend here. ... DNSSEC with TLSA records comes to my mind -- 0x35A64134 - 8AAC 5F46 83B4 DB70 8317 3723 296C 6CCA 35A6 4134 signature.asc Description: Digital signature
Re: [gentoo-dev] Should Gentoo do https by default?
On Fri, Mar 27, 2015 at 3:33 PM, Hanno Böck ha...@gentoo.org wrote: I'd propose the following: * Make all pages under .gentoo.org https by default * Make sure all use modern HTTPS features, including: * OCSP Stapling * HSTS * A secure collection of cipher suites * (one may add HPKP here, but it requires careful planning and has the potential to lock people out of the page if done wrong) (On the long term I think it would also be good to have downloads over https, but I'm aware that this is more difficult as it involves mirror operators that are not under direct control of gentoo infrastructure.) I'm with you! Cheers, Dirkjan
Re: [gentoo-dev] Should Gentoo do https by default?
On Fri, 27 Mar 2015 15:14:02 -0400 Rich Freeman ri...@gentoo.org wrote: As has been pointed out, this is a moot issue for Gentoo. However, I'm not aware of anybody who both offers a free certificate and will let you change your private key if it is compromised free of charge. I think wosign does. Haven't tested, but discussion on hacker news indicates revocation is free [1]. And yes, the startssl behaviour regarding revocation is not good... [1] https://news.ycombinator.com/item?id=8982013 -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42
Re: [gentoo-dev] Should Gentoo do https by default?
On Fri, Mar 27, 2015 at 03:33:15PM +0100, Hanno Böck wrote: Right now a number of Gentoo webpages are by default served over http. There is a growing trend to push more webpages to default to https, mostly pushed by google. I think this is a good thing and I think Gentoo should follow. Please read my one counter-argument below, as it's not one you refuted. Right now we seem to have a mix: ... * Some with logins are mixed http/login-via-https, which makes them vulnerable to ssl-stripping-attacks (e.g. wiki.gentoo.org) Are you sure about this? Everything on wiki should always redirect to SSL very early. I'd propose the following: * Make all pages under .gentoo.org https by default Enabled for the following sites now (copied from cfengine commit): files/etc/apache2/vhosts.d/sites/ads/01_ads.gentoo.org.conf | 6 ++ files/etc/apache2/vhosts.d/sites/api/api.gentoo.org.conf | 6 ++ files/etc/apache2/vhosts.d/sites/archives/30_archives.gentoo.org.conf | 6 ++ files/etc/apache2/vhosts.d/sites/blogs/35_blogs.gentoo.org.conf | 6 ++ files/etc/apache2/vhosts.d/sites/devmanual/35_devmanual.gentoo.org.conf | 6 ++ files/etc/apache2/vhosts.d/sites/forums/01_forums.gentoo.org.conf | 6 ++ files/etc/apache2/vhosts.d/sites/get/36_get.gentoo.org.conf | 6 ++ files/etc/apache2/vhosts.d/sites/infra-status/40_infra-status.gentoo.org.conf | 6 ++ files/etc/apache2/vhosts.d/sites/mirrorstats/20_mirrorstats.gentoo.org.conf | 6 ++ files/etc/apache2/vhosts.d/sites/packages/packages.gentoo.org.conf | 6 ++ files/etc/apache2/vhosts.d/sites/planet/40_planet.gentoo.org.conf | 6 ++ files/etc/apache2/vhosts.d/sites/qa-reports/36_qa-reports.gentoo.org.conf | 6 ++ files/etc/apache2/vhosts.d/sites/sources/30_sources.gentoo.org.conf | 6 ++ files/etc/apache2/vhosts.d/sites/www/www.gentoo.org.conf | 6 ++ 14 files changed, 84 insertions(+) * Make sure all use modern HTTPS features, including: * OCSP Stapling SSLUseStapling is Apache 2.3+ only, and that isn't stable yet. * HSTS It's coming already, you can see it on security.gentoo.org. * A secure collection of cipher suites What's wrong with our present Ciphers? https://www.ssllabs.com/ssltest/analyze.html?d=gentoo.org We have them configured per: https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ SSLProtocol ALL -SSLv2 -SSLv3 SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS SSLHonorCipherOrder on SSLCompression off * (one may add HPKP here, but it requires careful planning and has the potential to lock people out of the page if done wrong) Too risky at this point. (On the long term I think it would also be good to have downloads over https, but I'm aware that this is more difficult as it involves mirror operators that are not under direct control of gentoo infrastructure.) This is why we published signatures on as much as we can. As I know these discussions, I'll already answer to some counter-arguments that may come up: Users behind firewalls that block HTTPS are now going to be blocked from Gentoo services. Last time we proposed going HTTPS-by-default, there was complaint from users that were going to be locked out. I've turned it on anyway now, and want them to come out of the woodwork to refute you that we're ready for HTTPS-by-default. Certificates are too expensive Gentoo already has certs for all pages, so this is not an argument here, but if this ever becomes an issue there are a number of CAs these days that issue free certs. In summer the community based CA Let's encrypt will start which will be another option. We're still limited when it comes to services that need wildcards for the service. We have one such presently, and I hope we don't get more: Bugzilla, for attachments. (which are served at a different hostname that can't access your base bugzilla cookies even the attachment contains javascript that runs). -- Robin Hugh Johnson Gentoo Linux: Developer, Infrastructure Lead E-Mail : robb...@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
Re: [gentoo-dev] Should Gentoo do https by default?
On Fri, Mar 27, 2015 at 04:44:16PM +0100, Marc Schiffbauer wrote: Certificates are too expensive Gentoo already has certs for all pages, so this is not an argument here, but if this ever becomes an issue there are a number of CAs these days that issue free certs. In summer the community based CA Let's encrypt will start which will be another option. Or CAs which offer a Cert Flatrate for a small fee per year like StartSSL.com Please don't promote StartSSL with their excessive demands for personal information: https://www.startssl.com/?app=34 Passport AND (Drivers License or National ID) To be able to issue certs from them, EACH person in an organization needs to comply with that Identity Validation, and the organization validation is on top of that: https://www.startssl.com/?app=35 How many people here would willingly send this level of detail to somebody in a foreign country? Does your home country not have strict regulations about who can keep a copy of this information (retaining this information is mostly prohibited by my local laws). We're with DigiCert instead, where only the organization was verified. They also have a good API for generating certificates, which was invaluable during the Heartbleed certificate switchover. I think defaulting the net to HTTPS is a big step for more security and I think Gentoo should join the trend here. ... DNSSEC with TLSA records comes to my mind I proposed TLSA on the lists last year, and got very few takers. DNSSEC has been in place for years already. -- Robin Hugh Johnson Gentoo Linux: Developer, Infrastructure Lead E-Mail : robb...@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
Re: [gentoo-dev] Should Gentoo do https by default?
On Fri, Mar 27, 2015 at 8:29 PM, Hanno Böck ha...@gentoo.org wrote: SSLUseStapling is Apache 2.3+ only, and that isn't stable yet. That's unfortunate, apache 2.2 is pretty outdated when it comes to tls security. Please help with the blockers for 2.4 stabilization! Cheers, Dirkjan
Re: [gentoo-dev] Should Gentoo do https by default?
On Fri, 27 Mar 2015 19:18:24 + Robin H. Johnson robb...@gentoo.org wrote: * Some with logins are mixed http/login-via-https, which makes them vulnerable to ssl-stripping-attacks (e.g. wiki.gentoo.org) Are you sure about this? Everything on wiki should always redirect to SSL very early. Sure about what? When I call the wiki page I currently get: http://wiki.gentoo.org/wiki/Main_Page Clicking on login will redirect to https, but at that point an attacker is already able to change this link. Enabled for the following sites now (copied from cfengine commit): Great. (However I don't see that yet live - server restart needed or is there some deployment process that has to happen first?) * Make sure all use modern HTTPS features, including: * OCSP Stapling SSLUseStapling is Apache 2.3+ only, and that isn't stable yet. That's unfortunate, apache 2.2 is pretty outdated when it comes to tls security. * A secure collection of cipher suites What's wrong with our present Ciphers? Haven't checked them in detail, looks mostly fine. One issue: DH ciphers with a small modulus (1024 bit). But that's unfixable within apache 2.2, so same as above. (On the long term I think it would also be good to have downloads over https, but I'm aware that this is more difficult as it involves mirror operators that are not under direct control of gentoo infrastructure.) This is why we published signatures on as much as we can. Yes, signatures are fine, but realistically they require manual intervention and not everyone will do that. Defaulting to https is a very usable way to make malicious downloads less likely. Signatures should stay as an additional protection measure. Users behind firewalls that block HTTPS are now going to be blocked from Gentoo services. Last time we proposed going HTTPS-by-default, there was complaint from users that were going to be locked out. I would be very surprised if this is an issue any more. These days pretty much all big players use https only (google, facebook, twitter, github, ...). You can't really use the mainstream internet if your firewall blocks https. We're still limited when it comes to services that need wildcards for the service. We have one such presently, and I hope we don't get more: Bugzilla, for attachments. (which are served at a different hostname that can't access your base bugzilla cookies even the attachment contains javascript that runs). I have hopes that Let's encrypt will also allow free wildcards, but that seems to be undecided yet. But wildcards aren't super-expensive. One can e.g. get a validation by startssl for an unlimited number of wildcards for a year, I don't remember the exact price but it was in the 100-200$ range. cu, -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42
Re: [gentoo-dev] Should Gentoo do https by default?
On Fri, Mar 27, 2015 at 11:44 AM, Marc Schiffbauer msch...@gentoo.org wrote: * Hanno Böck schrieb am 27.03.15 um 15:33 Uhr: Certificates are too expensive Gentoo already has certs for all pages, so this is not an argument here, but if this ever becomes an issue there are a number of CAs these days that issue free certs. In summer the community based CA Let's encrypt will start which will be another option. Or CAs which offer a Cert Flatrate for a small fee per year like StartSSL.com As has been pointed out, this is a moot issue for Gentoo. However, I'm not aware of anybody who both offers a free certificate and will let you change your private key if it is compromised free of charge. StartSSL in fact refuses to revoke certificates even when people publish their private keys publicly. If you buy a previously-used domain you might want to make sure that there isn't a StartSSL certificate floating around for it which is still valid... I don't think this has any bearing whatsoever on Gentoo, but it does annoy me when people say that there are free cert options out there, when the whole point of having a CA is security and the ones which are both trusted and free have some pretty horrible security practices. The current CA system is horribly broken, but not as broken as not using SSL, or browsers which don't make you click 5 buttons every time you visit a non-SSL website the way they do when you visit an SSL website with an untrusted certificate. :) -- Rich
Re: [gentoo-dev] Should Gentoo do https by default?
On Fri, Mar 27, 2015 at 06:14:38PM +0100, Thomas D. wrote: Right now we seem to have a mix: * A number of webpages default to http and have optional https (www.gentoo.org) * Some with sensitive logins are already https by default (e.g. bugs.gentoo.org), but they don't use hsts, which they should * Some with logins are mixed http/login-via-https, which makes them vulnerable to ssl-stripping-attacks (e.g. wiki.gentoo.org) Don't forget the forum (http://forums.gentoo.org/). Even if you connect to https://forums.gentoo.org/ it will always fall back to HTTP. I can't reproduce this downgrade that you describe; please provide some steps to show it? -- Robin Hugh Johnson Gentoo Linux: Developer, Infrastructure Lead E-Mail : robb...@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
Re: [gentoo-dev] Should Gentoo do https by default?
On 27 March 2015 at 19:14, Rich Freeman ri...@gentoo.org wrote: StartSSL in fact refuses to revoke certificates even when people publish their private keys publicly. If you buy a previously-used domain you might want to make sure that there isn't a StartSSL certificate floating around for it which is still valid... Uh? They don't do it for free, but they do revoke certificate if you pay for it. xine-project.org has a revoked cert from last year due to heartbleed. Diego Elio Pettenò — Flameeyes https://blog.flameeyes.eu/
