Slash Boxes

SoylentNews is people

posted by NCommander on Monday August 08 2016, @12:00PM   Printer-friendly
from the now-with-a+-scores dept.

So after an extended period of inactivity, I've finally decided to jump back into working on SoylentNews and rehash (the code that powers the site). As such, I've decided to scratch some long-standing itches. The first (and easiest) to deploy was HSTS to SoylentNews. What is HSTS you may ask?

HSTS stands for HTTP Strict Transport Security and is a special HTTP header that signifies that a site should only be connected to over HTTPS and causes the browser to automatically load encrypted versions of a website should it see a regular URL. We've forbid non-SSL connections to SN for over a year, but without HSTS in place, a man-in-the-middle downgrade attack was possible by intercepting the initial insecure page load.

One of the big views I have towards SoylentNews is we should be representative of "best practices" on the internet. To that end, we deployed IPv6 publicly last year, and went HTTPS-by-default not long after that. Deploying HSTS continues this trend, and I'm working towards implementing other good ideas that rarely seem to see the light of day.

Check past the break for more technical details.


As part of prepping for HSTS deployment, I went through every site in our public DNS records, and made sure they all have valid SSL certificates, and are redirecting to HTTPS by default. Much to my embarrassment, I found that several of our public facing sites lacked SSL support at all, or had self-signed certificates and broken SSL configurations. This has been rectified.

Let this be a lesson to everyone. While protecting your "main site" is always a good idea, make sure when going through and securing your infrastructure that you check every public IP and public hostname to make sure something didn't slip through the gaps. If you're running SSLLabs against your website, I highly recommend you scan all the subjectAlternativeNames listed in your certificate. Apache and nginx can provide different SSL options for different VHosts, and its very important to make sure all of them have a sane and consistent configuration.

Right now, HSTS is deployed only on the main site, without "includeSubdomains". The reason for this is I wanted to make sure I didn't miss any non-SSL capable sites, and I'm still working on getting our CentOS 6.7 box up to best-practices (unfortunately, the version of Apache it ships with is rather dated and doesn't support OSCP stapling. I'll be fixing this, but just haven't gotten around to it yet).

Once I've fixed that, and am happy with the state of the site, SN, and her subdomains will be submitted for inclusion into browser preload lists. I'll run an article when that submission happens and when we're accepted. I hope to have another article this week on backend tinkering and proposed site updates.

Until then, happy hacking!
~ NCommander

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Monday August 08 2016, @01:29PM

    by Anonymous Coward on Monday August 08 2016, @01:29PM (#385281)

    I'm not real thrilled with Linux lately either. Debian with systemd has worked ok for me, although I did run into some braindead behavior wear a machine wouldn't boot into a usable state due to some nonsense with mdadm due to braindead target dependencies.

    I really don't like what Red Hat did with 7. The upgrade package in the repo doesn't work. Rebuild the source rpm from:!redhat-upgrade-tool.git. [] The one in the repo listed on: [] is terribly out of date. The upstream packaged was fixed to work good enough for a decent admin to get the job done. Make sure that /var/run ends up symlinked to /run or systemd will lose its mind if you try to restart some services. I have not done this on CentOS, just the upstream RHEL and Oracle Linux. Oracle Linux uses a dated update tool not quite as dated as the CentOS tool that doesn't resolve package versions correctly where it sees a package with a higher version ending with el6 as being newer than el7. It is possible to manually fix all of those, but it is a huge pain. For example if RHEL6 has grep 1.2.3.el6 and RHEL 7 has grep 1.2.2.el7, the tool will think the 1.2.3.el6 is newer and stick with that. You have to reinstall ALL packages after the upgrade with the dated tool because the scripts within the packages complain about missing libraries, but still somehow successfully upgrade. Don't even get me started on firewalld (I use the old style rules files). The only reason I am using 7 in my org is young projects that require RHEL and that will be hard to upgrade or migrate, so the longer availability of security patches is the sensible thing to do. I wish they would have left grub alone, the new config file style is convoluted in my opinion. It appears that Red Hat is trying to make an OS that is for the server and a laptop, and fails at both because it is like designing a vehicle to be a gas sipping commuter that can pull a big rig's trailer.

  • (Score: 4, Insightful) by NCommander on Monday August 08 2016, @02:58PM

    by NCommander (2) Subscriber Badge <> on Monday August 08 2016, @02:58PM (#385310) Homepage Journal

    Red Hat is trying to make Red Hat be a poor knock off of Windows. It was never a good OS compared to Debian in terms of cohensively or sanity, and now it just flat out sucks. Right up until Debian jumped on the systemd train, it, and its descendants were by far one of the best experiences you could get on Linux.

    Still always moving
  • (Score: 0) by Anonymous Coward on Monday August 08 2016, @03:07PM

    by Anonymous Coward on Monday August 08 2016, @03:07PM (#385314)

    All it takes is several wasted hours to seriously hate systemd
    Mine turned into several days worth of time in the end

    • (Score: 3, Interesting) by Scruffy Beard 2 on Monday August 08 2016, @03:24PM

      by Scruffy Beard 2 (6030) on Monday August 08 2016, @03:24PM (#385321)

      So far I have seen weirdness, but have not been bitten in the *ss.

      I finally installed systemd on my old debian machine. The disk check caused the boot to fail (with a scary looking error) instead of simply resuming after waiting.

      I should be getting my new FreeBSD install working instead of posting on the Internet.

      • (Score: 2) by zeigerpuppy on Monday August 08 2016, @06:31PM

        by zeigerpuppy (1298) on Monday August 08 2016, @06:31PM (#385407)

        I've found that pinning systemd on Debian works pretty well. All
        my Debian machines run headless so there doesn't appear to be much need for systemd. I'm mostly running a wheezy/unstable hybrid on most machines which works well when you need apache 2.4, reasonably sane versions of node etc.

        I also use ZFS extensively, it's awesome but I'm sure there's a performance hit in ZFSonLinux vs native on BSD.