Re: HTTPS for mirrors
On 5/1/22 05:46, Henrik K wrote: > > If you look at current MIRRORED.BY, that's how it already done. > > Only 3.3 skips any non-http:// lines. So 3.3 rule updates need to be > officially deprecated before changing last http-mirror. And amazingly there > are still active users as seen from the "if has()" reports.. > on my mirror ~10% requests have http user-agent sa-update/svn*/3.3.x, this is not a correct calculated percent because some users are checking the mirrors more often then others. Giovanni > I'll leave general timetable for the list consensus, it's up to the > volunteers.. > > On Sat, Apr 30, 2022 at 09:55:26PM -0400, Kevin A. McGrail wrote: >> That's quite interesting, Dave. Thanks. >> >> Henrik, do we have a way of supporting both http and https? So like one >> config line is http and another is https? Then we can ask mirrors to start >> moving to https with a goal perhaps of next May? >> >> Regards, >> >> KAM >> >> On 4/29/2022 12:27 AM, Dave Warren wrote: >>> On 2022-04-28 07:30, Bill Cole wrote: I see no reason to make HTTPS mandatory for mirrors at this point. It does mean an extra layer that can break and the impersonation attacks that it enables would be extremely complicated to mount, so may be entirely theoretical. I would rather keep unencrypted mirrors for the sake of availability than drive away helpful collaborators just because they haven't had a free hour recently to make HTTPS work. >>> >>> I don't care either way, but it is literally more work for me to >>> maintain a HTTP mirror than not. >>> >>> Why? My web server configuration all starts with a default "HTTP? 301 >>> redirect to HTTPS" rule, so getting HTTP content to bypass that is >>> literally more lines of configuration, and extra testing when upgrading >>> software or moving stuff around. >>> >>> It isn't a big deal. The "work" is already done, and I mirror >>> torbrowser and sometimes tails as well and there is a stronger use-case >>> for maintaining HTTP indefinitely there, so adding one more hostname to >>> the "okay, serve it with http too" list isn't even on my radar of >>> things to care about. >>> >>> I do care about encryption in general though. >>> >>> HTTPS is an inconsequential amount of overhead and has been for a >>> decade or so (from my perspective). And I have trouble imagining any >>> machine that is simultaneously powerful enough to run SpamAssassin and >>> also finds the overhead of HTTPS as consequential. >>> >>> As noted elsewhere in the thread, I'm one of the mirrors that offers >>> HTTPS already, this is because it is already part of my provisioning >>> system when I add a site and like allowing HTTP at all, it would be >>> more work to carve out an exception. >>> >>> I have no preference or vote in either direction here specifically, but >>> for my part I consider HTTP legacy and am a strong believer in >>> replacing HTTP services with a static 301 response and calling it a >>> day. >> >> -- >> Kevin A. McGrail >> kmcgr...@apache.org >> >> Member, Apache Software Foundation >> Chair Emeritus Apache SpamAssassin Project >> https://www.linkedin.com/in/kmcgrail - 703.798.0171 OpenPGP_signature Description: OpenPGP digital signature
Re: HTTPS for mirrors
Thanks, Henrik. I'm agnostic on this change but I thought it was interesting it took Dave some trouble to setup http vs https. On 4/30/2022 11:46 PM, Henrik K wrote: If you look at current MIRRORED.BY, that's how it already done. Only 3.3 skips any non-http:// lines. So 3.3 rule updates need to be officially deprecated before changing last http-mirror. And amazingly there are still active users as seen from the "if has()" reports.. I'll leave general timetable for the list consensus, it's up to the volunteers.. On Sat, Apr 30, 2022 at 09:55:26PM -0400, Kevin A. McGrail wrote: That's quite interesting, Dave. Thanks. Henrik, do we have a way of supporting both http and https? So like one config line is http and another is https? Then we can ask mirrors to start moving to https with a goal perhaps of next May? Regards, KAM On 4/29/2022 12:27 AM, Dave Warren wrote: On 2022-04-28 07:30, Bill Cole wrote: I see no reason to make HTTPS mandatory for mirrors at this point. It does mean an extra layer that can break and the impersonation attacks that it enables would be extremely complicated to mount, so may be entirely theoretical. I would rather keep unencrypted mirrors for the sake of availability than drive away helpful collaborators just because they haven't had a free hour recently to make HTTPS work. I don't care either way, but it is literally more work for me to maintain a HTTP mirror than not. Why? My web server configuration all starts with a default "HTTP? 301 redirect to HTTPS" rule, so getting HTTP content to bypass that is literally more lines of configuration, and extra testing when upgrading software or moving stuff around. It isn't a big deal. The "work" is already done, and I mirror torbrowser and sometimes tails as well and there is a stronger use-case for maintaining HTTP indefinitely there, so adding one more hostname to the "okay, serve it with http too" list isn't even on my radar of things to care about. I do care about encryption in general though. HTTPS is an inconsequential amount of overhead and has been for a decade or so (from my perspective). And I have trouble imagining any machine that is simultaneously powerful enough to run SpamAssassin and also finds the overhead of HTTPS as consequential. As noted elsewhere in the thread, I'm one of the mirrors that offers HTTPS already, this is because it is already part of my provisioning system when I add a site and like allowing HTTP at all, it would be more work to carve out an exception. I have no preference or vote in either direction here specifically, but for my part I consider HTTP legacy and am a strong believer in replacing HTTP services with a static 301 response and calling it a day. -- Kevin A. McGrail kmcgr...@apache.org Member, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171 -- Kevin A. McGrail kmcgr...@apache.org Member, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171
Re: HTTPS for mirrors
If you look at current MIRRORED.BY, that's how it already done. Only 3.3 skips any non-http:// lines. So 3.3 rule updates need to be officially deprecated before changing last http-mirror. And amazingly there are still active users as seen from the "if has()" reports.. I'll leave general timetable for the list consensus, it's up to the volunteers.. On Sat, Apr 30, 2022 at 09:55:26PM -0400, Kevin A. McGrail wrote: > That's quite interesting, Dave. Thanks. > > Henrik, do we have a way of supporting both http and https? So like one > config line is http and another is https? Then we can ask mirrors to start > moving to https with a goal perhaps of next May? > > Regards, > > KAM > > On 4/29/2022 12:27 AM, Dave Warren wrote: > > On 2022-04-28 07:30, Bill Cole wrote: > > > I see no reason to make HTTPS mandatory for mirrors at this point. > > > It does mean an extra layer that can break and the impersonation > > > attacks that it enables would be extremely complicated to mount, so > > > may be entirely theoretical. I would rather keep unencrypted > > > mirrors for the sake of availability than drive away helpful > > > collaborators just because they haven't had a free hour recently to > > > make HTTPS work. > > > > I don't care either way, but it is literally more work for me to > > maintain a HTTP mirror than not. > > > > Why? My web server configuration all starts with a default "HTTP? 301 > > redirect to HTTPS" rule, so getting HTTP content to bypass that is > > literally more lines of configuration, and extra testing when upgrading > > software or moving stuff around. > > > > It isn't a big deal. The "work" is already done, and I mirror > > torbrowser and sometimes tails as well and there is a stronger use-case > > for maintaining HTTP indefinitely there, so adding one more hostname to > > the "okay, serve it with http too" list isn't even on my radar of > > things to care about. > > > > I do care about encryption in general though. > > > > HTTPS is an inconsequential amount of overhead and has been for a > > decade or so (from my perspective). And I have trouble imagining any > > machine that is simultaneously powerful enough to run SpamAssassin and > > also finds the overhead of HTTPS as consequential. > > > > As noted elsewhere in the thread, I'm one of the mirrors that offers > > HTTPS already, this is because it is already part of my provisioning > > system when I add a site and like allowing HTTP at all, it would be > > more work to carve out an exception. > > > > I have no preference or vote in either direction here specifically, but > > for my part I consider HTTP legacy and am a strong believer in > > replacing HTTP services with a static 301 response and calling it a > > day. > > -- > Kevin A. McGrail > kmcgr...@apache.org > > Member, Apache Software Foundation > Chair Emeritus Apache SpamAssassin Project > https://www.linkedin.com/in/kmcgrail - 703.798.0171
Re: HTTPS for mirrors
That's quite interesting, Dave. Thanks. Henrik, do we have a way of supporting both http and https? So like one config line is http and another is https? Then we can ask mirrors to start moving to https with a goal perhaps of next May? Regards, KAM On 4/29/2022 12:27 AM, Dave Warren wrote: On 2022-04-28 07:30, Bill Cole wrote: I see no reason to make HTTPS mandatory for mirrors at this point. It does mean an extra layer that can break and the impersonation attacks that it enables would be extremely complicated to mount, so may be entirely theoretical. I would rather keep unencrypted mirrors for the sake of availability than drive away helpful collaborators just because they haven't had a free hour recently to make HTTPS work. I don't care either way, but it is literally more work for me to maintain a HTTP mirror than not. Why? My web server configuration all starts with a default "HTTP? 301 redirect to HTTPS" rule, so getting HTTP content to bypass that is literally more lines of configuration, and extra testing when upgrading software or moving stuff around. It isn't a big deal. The "work" is already done, and I mirror torbrowser and sometimes tails as well and there is a stronger use-case for maintaining HTTP indefinitely there, so adding one more hostname to the "okay, serve it with http too" list isn't even on my radar of things to care about. I do care about encryption in general though. HTTPS is an inconsequential amount of overhead and has been for a decade or so (from my perspective). And I have trouble imagining any machine that is simultaneously powerful enough to run SpamAssassin and also finds the overhead of HTTPS as consequential. As noted elsewhere in the thread, I'm one of the mirrors that offers HTTPS already, this is because it is already part of my provisioning system when I add a site and like allowing HTTP at all, it would be more work to carve out an exception. I have no preference or vote in either direction here specifically, but for my part I consider HTTP legacy and am a strong believer in replacing HTTP services with a static 301 response and calling it a day. -- Kevin A. McGrail kmcgr...@apache.org Member, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171
Re: HTTPS for mirrors
On 2022-04-28 07:30, Bill Cole wrote: I see no reason to make HTTPS mandatory for mirrors at this point. It does mean an extra layer that can break and the impersonation attacks that it enables would be extremely complicated to mount, so may be entirely theoretical. I would rather keep unencrypted mirrors for the sake of availability than drive away helpful collaborators just because they haven't had a free hour recently to make HTTPS work. I don't care either way, but it is literally more work for me to maintain a HTTP mirror than not. Why? My web server configuration all starts with a default "HTTP? 301 redirect to HTTPS" rule, so getting HTTP content to bypass that is literally more lines of configuration, and extra testing when upgrading software or moving stuff around. It isn't a big deal. The "work" is already done, and I mirror torbrowser and sometimes tails as well and there is a stronger use-case for maintaining HTTP indefinitely there, so adding one more hostname to the "okay, serve it with http too" list isn't even on my radar of things to care about. I do care about encryption in general though. HTTPS is an inconsequential amount of overhead and has been for a decade or so (from my perspective). And I have trouble imagining any machine that is simultaneously powerful enough to run SpamAssassin and also finds the overhead of HTTPS as consequential. As noted elsewhere in the thread, I'm one of the mirrors that offers HTTPS already, this is because it is already part of my provisioning system when I add a site and like allowing HTTP at all, it would be more work to carve out an exception. I have no preference or vote in either direction here specifically, but for my part I consider HTTP legacy and am a strong believer in replacing HTTP services with a static 301 response and calling it a day.
Re: HTTPS for mirrors
On Wed, Apr 27, 2022 at 05:34:57PM +0300, Henrik K wrote: > > Btw I just updated DNS to https too: > mirrors.updates.spamassassin.org. > "https://spamassassin.apache.org/updates/MIRRORED.BY"; Actually it's now: mirrors.updates.spamassassin.org. "https://spamassassin.apache.org/updates/MIRRORED.BY"; mirrors.updates.spamassassin.org. "http://sa-update.spamassassin.org/MIRRORED.BY"; Not sure why before it relied only on apache.org as a single point of failure. Multiple records have been supported atleast from 3.3, so why not have two project maintained servers there..
Re: HTTPS for mirrors
On Thu, Apr 28, 2022 at 09:30:21AM -0400, Bill Cole wrote: > > and the impersonation attacks that it enables would be extremely > complicated to mount, so may be entirely theoretical. Of course it is. It's probably thousand times more likely that a mirror itself is hacked and it's files replaced. But don't you love to see a warm and fuzzy secure lock on your connection?
Re: HTTPS for mirrors
On 2022-04-28 at 06:40:58 UTC-0400 (Thu, 28 Apr 2022 12:40:58 +0200 (CEST)) Fossies Administrator is rumored to have said: On Wed, 27 Apr 2022, Henrik K wrote: There's really no reason these days for not using https. Only three mirrors work with it right now: sa-update.razx.cloud sa-update.pccc.com sa-update.mailfud.org Could maybe others prepare for it? sa-update seems to happily use https:// mirrors starting from 3.4.0, so there shouldn't be any reason not to update these. Btw I just updated DNS to https too: mirrors.updates.spamassassin.org. "https://spamassassin.apache.org/updates/MIRRORED.BY"; Apparently spamassassin.apache.org has had https-redirect for a long time, which broke the old checkSAupdateMirrors.sh script too. Unfortunately my server fossies.org currently uses a commercial certificate only usable for the names "fossies.org" and "www.fossies.org" but not for "sa-update.fossies.org" and some first general tests some months ago using Let's Encrypt were not yet successful. It is easy enough to adjust the URL for your mirror to align with a certificate that works. There's nothing magical about the 'sa-update' hostname. FWIW, I've had the best LE experience using the "acme.sh" tool (https://github.com/acmesh-official/acme.sh) rather than the Python-based Certbot tool. It has support for LE and for some other free certificate services. Since I don't know when I have time for a new attempt (probably summer/autumn after a big hardware migration) and the https request seems understandable you may remove the server "sa-update.fossies.org" if meaningful (relatively easy to get over, since it only has a weight of 1). I see no reason to make HTTPS mandatory for mirrors at this point. It does mean an extra layer that can break and the impersonation attacks that it enables would be extremely complicated to mount, so may be entirely theoretical. I would rather keep unencrypted mirrors for the sake of availability than drive away helpful collaborators just because they haven't had a free hour recently to make HTTPS work. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: HTTPS for mirrors
On 2022-04-28 at 07:36:45 UTC-0400 (Thu, 28 Apr 2022 14:36:45 +0300) Henrik K is rumored to have said: On Thu, Apr 28, 2022 at 07:26:41AM -0400, Kevin A. McGrail wrote: We discussed this a year or two ago. The data on there is not sensitive and is cryptographically verified by spamassassin before being used. Can you name a single reason the data needs to be encrypted in transit? Targeted host impersonation attacks. Even if an attacker couldn't inject a signed package using the right key this way, they could prevent updates by injecting an old package with a new name or arbitrary signed packages using an impersonating key. I think it is only prudent to treat SA rules and config as code, and assume that a malicious actor who can inject arbitrary rules and config can take over a machine, particularly on machines using spamd (often running as root so that it can support per-user rules.) We've closed the obvious paths for that, but I don't think we can or should assume that the worst thing bad rules can do is make SA mislabel mail (bad enough in itself.) It's only verified if the user chooses to do so, is not downloading stuff manually or whatever. Regardless, can YOU name a single reason why transmitted data should not be encrypted in the year 2022, as it's trivial to do so? Strange debate from a security expert. We've already seen one described in this thread by a mirror admin. It is apparently non-trivial to set up and maintain a working certificate configuration. Host authentication is the one compelling reason for using HTTPS with public data, so being lenient in certificate validation is not a solution. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: HTTPS for mirrors
On Thu, Apr 28, 2022 at 07:41:56AM -0400, Kevin A. McGrail wrote: > By default, the data is cryptographically verified. An admin has to > specifically turn off that feature. > > There's little benefits of using HTTPS in this specific setting and it's > just an extra requirement on our volunteer mirrors. It will add time, CPU > load, and even a small amount of bandwidth increase. All to achieve nothing. > > >From a security analysis, this is public data so it's a very low risk with > no data toxicity. > > I just don't see the benefit. As a security expert, I also make sure to > focus my time where it's best utilized. So I am recommending that you and > I can spend our time elsewhere as well as our mirror volunteers :-) I spent few hours to prove that it works and simple to activate, making things more future proof. No one is forcing mirrors to migrate (sad to say I'm not a dictator), but I'd suggest everyone does. Even my Intel Atom server handles all the SSL with few percent CPU load - talking about the CPU/bandwidth wastes more time..
Re: HTTPS for mirrors
By default, the data is cryptographically verified. An admin has to specifically turn off that feature. There's little benefits of using HTTPS in this specific setting and it's just an extra requirement on our volunteer mirrors. It will add time, CPU load, and even a small amount of bandwidth increase. All to achieve nothing. >From a security analysis, this is public data so it's a very low risk with no data toxicity. I just don't see the benefit. As a security expert, I also make sure to focus my time where it's best utilized. So I am recommending that you and I can spend our time elsewhere as well as our mirror volunteers :-) -KAM On Thu, Apr 28, 2022, 07:36 Henrik K wrote: > On Thu, Apr 28, 2022 at 07:26:41AM -0400, Kevin A. McGrail wrote: > > We discussed this a year or two ago. The data on there is not sensitive > and > > is cryptographically verified by spamassassin before being used. Can you > > name a single reason the data needs to be encrypted in transit? KAM > > It's only verified if the user chooses to do so, is not downloading stuff > manually or whatever. Regardless, can YOU name a single reason why > transmitted data should not be encrypted in the year 2022, as it's trivial > to do so? Strange debate from a security expert. > >
Re: HTTPS for mirrors
On Thu, Apr 28, 2022 at 07:26:41AM -0400, Kevin A. McGrail wrote: > We discussed this a year or two ago. The data on there is not sensitive and > is cryptographically verified by spamassassin before being used. Can you > name a single reason the data needs to be encrypted in transit? KAM It's only verified if the user chooses to do so, is not downloading stuff manually or whatever. Regardless, can YOU name a single reason why transmitted data should not be encrypted in the year 2022, as it's trivial to do so? Strange debate from a security expert.
Re: HTTPS for mirrors
We discussed this a year or two ago. The data on there is not sensitive and is cryptographically verified by spamassassin before being used. Can you name a single reason the data needs to be encrypted in transit? KAM On Thu, Apr 28, 2022, 07:17 Henrik K wrote: > On Thu, Apr 28, 2022 at 12:40:58PM +0200, Fossies Administrator wrote: > > On Wed, 27 Apr 2022, Henrik K wrote: > > > > > > > > There's really no reason these days for not using https. > > > > > > Only three mirrors work with it right now: > > > > > > sa-update.razx.cloud > > > sa-update.pccc.com > > > sa-update.mailfud.org > > > > > > Could maybe others prepare for it? sa-update seems to happily use > https:// > > > mirrors starting from 3.4.0, so there shouldn't be any reason not to > update > > > these. > > > > > > Btw I just updated DNS to https too: > > > mirrors.updates.spamassassin.org. " > https://spamassassin.apache.org/updates/MIRRORED.BY"; > > > > > > Apparently spamassassin.apache.org has had https-redirect for a long > time, > > > which broke the old checkSAupdateMirrors.sh script too. > > > > Unfortunately my server fossies.org currently uses a commercial > certificate > > only usable for the names "fossies.org" and "www.fossies.org" but not > for > > "sa-update.fossies.org" and some first general tests some months ago > using > > Let's Encrypt were not yet successful. > > > > Since I don't know when I have time for a new attempt (probably > > summer/autumn after a big hardware migration) and the https request seems > > understandable you may remove the server "sa-update.fossies.org" > > if meaningful (relatively easy to get over, since it only has a weight > of 1). > > I don't see it as a huge problem if we leave few mirrors as http:// - it > enables ancient 3.3 clients to still get some updates.. dunno if that's > good or bad. Maybe let's try to convert all "this year"? > > Btw about mirror weights, how were they decided? Basically weight=1 means > there's a 1/50 chance to get a request, or 10 times less than the weight=10 > mirrors. Is everyone happy about the amount of traffic they receive? I'll > probably bump mine up a bit since I have no traffic limits/costs.. > > sa-update.verein-clean.net (1/4.8 chance) > sa-update.spamassassin.org (1/4.8 chance) > www.sa-update.pccc.com (1/9.6 chance) > sa-update.ena.com (1/9.6 chance) > sa-update.razx.cloud (1/9.6 chance) > sa-update-asf.snb.it (1/9.6 chance) > sa-update.dnswl.org (1/16.0 chance) > sa-update.mailfud.org (1/16.0 chance) > sa-update.space-pro.be (1/47.2 chance) > sa-update.fossies.org (1/47.4 chance) > > Cheers, > Henrik >
Re: HTTPS for mirrors
On Thu, Apr 28, 2022 at 12:40:58PM +0200, Fossies Administrator wrote: > On Wed, 27 Apr 2022, Henrik K wrote: > > > > > There's really no reason these days for not using https. > > > > Only three mirrors work with it right now: > > > > sa-update.razx.cloud > > sa-update.pccc.com > > sa-update.mailfud.org > > > > Could maybe others prepare for it? sa-update seems to happily use https:// > > mirrors starting from 3.4.0, so there shouldn't be any reason not to update > > these. > > > > Btw I just updated DNS to https too: > > mirrors.updates.spamassassin.org. > > "https://spamassassin.apache.org/updates/MIRRORED.BY"; > > > > Apparently spamassassin.apache.org has had https-redirect for a long time, > > which broke the old checkSAupdateMirrors.sh script too. > > Unfortunately my server fossies.org currently uses a commercial certificate > only usable for the names "fossies.org" and "www.fossies.org" but not for > "sa-update.fossies.org" and some first general tests some months ago using > Let's Encrypt were not yet successful. > > Since I don't know when I have time for a new attempt (probably > summer/autumn after a big hardware migration) and the https request seems > understandable you may remove the server "sa-update.fossies.org" > if meaningful (relatively easy to get over, since it only has a weight of 1). I don't see it as a huge problem if we leave few mirrors as http:// - it enables ancient 3.3 clients to still get some updates.. dunno if that's good or bad. Maybe let's try to convert all "this year"? Btw about mirror weights, how were they decided? Basically weight=1 means there's a 1/50 chance to get a request, or 10 times less than the weight=10 mirrors. Is everyone happy about the amount of traffic they receive? I'll probably bump mine up a bit since I have no traffic limits/costs.. sa-update.verein-clean.net (1/4.8 chance) sa-update.spamassassin.org (1/4.8 chance) www.sa-update.pccc.com (1/9.6 chance) sa-update.ena.com (1/9.6 chance) sa-update.razx.cloud (1/9.6 chance) sa-update-asf.snb.it (1/9.6 chance) sa-update.dnswl.org (1/16.0 chance) sa-update.mailfud.org (1/16.0 chance) sa-update.space-pro.be (1/47.2 chance) sa-update.fossies.org (1/47.4 chance) Cheers, Henrik
Re: HTTPS for mirrors
On Wed, 27 Apr 2022, Henrik K wrote: There's really no reason these days for not using https. Only three mirrors work with it right now: sa-update.razx.cloud sa-update.pccc.com sa-update.mailfud.org Could maybe others prepare for it? sa-update seems to happily use https:// mirrors starting from 3.4.0, so there shouldn't be any reason not to update these. Btw I just updated DNS to https too: mirrors.updates.spamassassin.org. "https://spamassassin.apache.org/updates/MIRRORED.BY"; Apparently spamassassin.apache.org has had https-redirect for a long time, which broke the old checkSAupdateMirrors.sh script too. Unfortunately my server fossies.org currently uses a commercial certificate only usable for the names "fossies.org" and "www.fossies.org" but not for "sa-update.fossies.org" and some first general tests some months ago using Let's Encrypt were not yet successful. Since I don't know when I have time for a new attempt (probably summer/autumn after a big hardware migration) and the https request seems understandable you may remove the server "sa-update.fossies.org" if meaningful (relatively easy to get over, since it only has a weight of 1). Regards Jens -- FOSSIES - The Fresh Open Source Software archive mainly for Internet, Engineering and Science https://fossies.org/