[arch-dev-public] [RFC] Add archlinux.org domain to HSTS Preload list
Hi All, With some improvements we have been doing to the infrastructure, we've reached a point were practically everything on archlinux.org is hosted using TLS/SSL. I have run a sslyze test on every of our DNS entries and the ones that did not answered are supposed to. In case you guys are interested, I'm putting links to the tests I performed in json format in the end of the email.[0][1] My question is, should we add archlinux.org to the HSTS preload list?[2] Or, better yet, should we ever host something *not* using TLS/SSL? Cheers, Giancarlo Razzolini [0] Full test, quite big: https://paste.xinu.at/UOII [1] Failed hosts: https://paste.xinu.at/5srl/ [2] https://hstspreload.org/
On 04.01.2017 20:43, Giancarlo Razzolini wrote:
Hi All,
With some improvements we have been doing to the infrastructure, we've reached a point were practically everything on archlinux.org is hosted using TLS/SSL.
I have run a sslyze test on every of our DNS entries and the ones that did not answered are supposed to. In case you guys are interested, I'm putting links to the tests I performed in json format in the end of the email.[0][1]
My question is, should we add archlinux.org to the HSTS preload list?[2] Or, better yet, should we ever host something *not* using TLS/SSL? Cheers, Giancarlo Razzolini
[0] Full test, quite big: https://paste.xinu.at/UOII [1] Failed hosts: https://paste.xinu.at/5srl/ [2] https://hstspreload.org/
In general a great idea. Our Torrent tracker does not support https as it seems: http://tracker.archlinux.org:6969/stat I haven't looked into it yet though. Port 443 redirects to bbs which is strange... Greetings, Pierre -- Pierre Schmitz, https://pierre-schmitz.com
Em janeiro 5, 2017 14:26 Pierre Schmitz escreveu:
In general a great idea. Our Torrent tracker does not support https as it seems: http://tracker.archlinux.org:6969/stat I haven't looked into it yet though. Port 443 redirects to bbs which is strange...
I only tested port 443 on those servers. sslyze can test for STARTTLS on most services (smtp and others) but I focused on standard https. If the tracker is not replying on https, I'm confident we can make it do so. My intention with the RFC was/is mainly to see if we have any show stoppers that might prevent us from doing so. And, it is worth noting that HSTS preloading works mainly (only?) for browsers. Libraries and command line tools don't use it, as far as I know, nor would Bittorrent clients. Also, once included, removal is not very easy. So, if we do this, we must be sure we will not host anything not using TLS. One option though is to not include subdomains and only make archlinux.org and www to the preload list now, and make the entire domain, after we are sure. Cheers, Giancarlo Razzolini
Em janeiro 5, 2017 15:27 Giancarlo Razzolini escreveu:
One option though is to not include subdomains and only make archlinux.org and www to the preload list now, and make the entire domain, after we are sure.
As it was reminded to me off list, preload is an all or nothing approach, due to the restrictions on the size of the preload list. Cheers, Giancarlo Razzolini
Em janeiro 5, 2017 18:45 Giancarlo Razzolini escreveu:
As it was reminded to me off list, preload is an all or nothing approach, due to the restrictions on the size of the preload list.
Can I submit archlinux.org to the preload list? Two weeks have passed and there were no objections. Once submitted it might take a while for versions of the browsers including our domain to reach users. Removal from the list is possible, but, once included, it is a lengthy process to remove a domain from the list. So, if someone thinks of something that might block this, the time is now. I plan to wait another week before moving on to adding archlinux.org domain to the preload list. Cheers, Giancarlo Razzolini
Em janeiro 19, 2017 23:05 Giancarlo Razzolini escreveu:
I plan to wait another week before moving on to adding archlinux.org domain to the preload list.
Hi all, As one week was passed, and no objections were made, the archlinux.org was just added to the preload list [0][1]. It takes some time for the change to propagate through versions, but usually the next major version of Chrome (and possibly Firefox), will contain the inclusion. On the past couple of weeks I tried to find STS preload usage outside of browsers, and I found none. wget seems to respect HTST header, but it doesn't use preload as far as I can tell. curl doesn't seem to have much (any?) documentation on the subject, and I don't see any evidence for preload lists on either their source and our package of it. Anyway, from now on, every http service will *have* to be served through TLS. We have our certs being renewed automatically, so it shouldn't be an issue. If we ever need to disable preload, it will need to be done months before any usage of plain http service. And even then, some users that do not update their browsers regularly, won't be able to access anything under archlinux.org. Cheers, Giancarlo Razzolini [0] https://git.archlinux.org/infrastructure.git/commit/?id=9beccb72d1e6e2659348... [1] https://hstspreload.org/?domain=archlinux.org
Em janeiro 26, 2017 17:58 Giancarlo Razzolini escreveu:
As one week was passed, and no objections were made, the archlinux.org was just added to the preload list [0][1].
[0] https://git.archlinux.org/infrastructure.git/commit/?id=9beccb72d1e6e2659348... [1] https://hstspreload.org/?domain=archlinux.org
Hi all, Archlinux was preloaded on the list. I expect that the next version of the browsers will contain our domain. I don't expect any issues, but if any of you finds one, we should fix it on our side, because removal from the preload is tricky and slow, even if it is possible. Cheers, Giancarlo Razzolini
participants (2)
-
Giancarlo Razzolini
-
Pierre Schmitz