Stories
Slash Boxes
Comments

SoylentNews is people

Meta
posted by NCommander on Monday August 08 2016, @12:00PM   Printer-friendly
from the now-with-a+-scores dept.

So after an extended period of inactivity, I've finally decided to jump back into working on SoylentNews and rehash (the code that powers the site). As such, I've decided to scratch some long-standing itches. The first (and easiest) to deploy was HSTS to SoylentNews. What is HSTS you may ask?

HSTS stands for HTTP Strict Transport Security and is a special HTTP header that signifies that a site should only be connected to over HTTPS and causes the browser to automatically load encrypted versions of a website should it see a regular URL. We've forbid non-SSL connections to SN for over a year, but without HSTS in place, a man-in-the-middle downgrade attack was possible by intercepting the initial insecure page load.

One of the big views I have towards SoylentNews is we should be representative of "best practices" on the internet. To that end, we deployed IPv6 publicly last year, and went HTTPS-by-default not long after that. Deploying HSTS continues this trend, and I'm working towards implementing other good ideas that rarely seem to see the light of day.

Check past the break for more technical details.

[Continues...]

As part of prepping for HSTS deployment, I went through every site in our public DNS records, and made sure they all have valid SSL certificates, and are redirecting to HTTPS by default. Much to my embarrassment, I found that several of our public facing sites lacked SSL support at all, or had self-signed certificates and broken SSL configurations. This has been rectified.

Let this be a lesson to everyone. While protecting your "main site" is always a good idea, make sure when going through and securing your infrastructure that you check every public IP and public hostname to make sure something didn't slip through the gaps. If you're running SSLLabs against your website, I highly recommend you scan all the subjectAlternativeNames listed in your certificate. Apache and nginx can provide different SSL options for different VHosts, and its very important to make sure all of them have a sane and consistent configuration.

Right now, HSTS is deployed only on the main site, without "includeSubdomains". The reason for this is I wanted to make sure I didn't miss any non-SSL capable sites, and I'm still working on getting our CentOS 6.7 box up to best-practices (unfortunately, the version of Apache it ships with is rather dated and doesn't support OSCP stapling. I'll be fixing this, but just haven't gotten around to it yet).

Once I've fixed that, and am happy with the state of the site, SN, and her subdomains will be submitted for inclusion into browser preload lists. I'll run an article when that submission happens and when we're accepted. I hope to have another article this week on backend tinkering and proposed site updates.

Until then, happy hacking!
~ NCommander

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Informative) by canopic jug on Monday August 08 2016, @01:34PM

    by canopic jug (3949) Subscriber Badge on Monday August 08 2016, @01:34PM (#385284) Journal

    If you're comfortable with Debian then you could stay close to it with Devuan. It is basically a port of Jessie, for the time being, without systemd. It is a drop-in replacement minus the systemd crap.

    Or if you really want Debian then there is Debian GNU/kFreeBSD which is pretty much all the same as Debian GNU/Linux for all the user-land activity but, again, minus the systemd crap.

    --
    Money is not free speech. Elections should not be auctions.
    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 5, Interesting) by NCommander on Monday August 08 2016, @02:44PM

    by NCommander (2) Subscriber Badge <mcasadevall@soylentnews.org> on Monday August 08 2016, @02:44PM (#385303) Homepage Journal

    I've looked at Devuan in the past and its a joke. They're rebuilding the entire archive out of a Jenkins instance using a based up version of git and lots of other stuff. That breaks a lot of shit like shlibs tracking, change metadata, etc. It also means they can't reasonably track any packages that are in non-git VCS (which are most of them) If you're going to build Debian, do it fucking right, don't kitbash you way to something else.

    I've talked with them about it but was completely blown off. I saw a few other DDs have poked their head in and got their nose cut off for it. Debian kFreeBSD is really not a direction I'd like to go in. They shipped glibc instead of BSD libc, which causes all sorts of application compat problems so interesting build failures are common, and you get all sorts of bloat you don't want or need on FreeBSD.

    --
    Still always moving
    • (Score: 2) by canopic jug on Monday August 08 2016, @03:49PM

      by canopic jug (3949) Subscriber Badge on Monday August 08 2016, @03:49PM (#385333) Journal
      Ok. It sounds like you might head in the direction of FreeBSD or OpenBSD then. What obstacles do you see with those up front? There is some support for OpenBSD via M:Tier so it is not obligatory to chase -current.
      --
      Money is not free speech. Elections should not be auctions.
      • (Score: 2) by NCommander on Monday August 08 2016, @03:56PM

        by NCommander (2) Subscriber Badge <mcasadevall@soylentnews.org> on Monday August 08 2016, @03:56PM (#385336) Homepage Journal

        I'm leaning far more towards FreeBSD. OpenBSD doesn't have a MAC framework. I've also found of the two, OpenBSD tends to be more difficult to get to run under hosted virtualization (aka Linode), and while its network tools (3 pf) are great, everything else falls kinda flat. Great respect for Theo, but OBSD simply lacks what we need.

        We run Apache under AppArmor to prevent unexpected stupidity dating back to when we ran Apache 1.3 due to slashcode being tied to that release before I took a nuclear blowtorch to it. If you could somehow manage to get a remote shell due to a flaw in rehash, you'd be limited to a very small amount of files that Apache+rehash need to access to run, and the inability to run anything else. Not great, but much better than having unrestricted access to the filesystem as the slash user and migates many attempts to elevate to root.

        --
        Still always moving
        • (Score: 2) by canopic jug on Monday August 08 2016, @04:05PM

          by canopic jug (3949) Subscriber Badge on Monday August 08 2016, @04:05PM (#385343) Journal

          Ok. Thanks. It will be very interesting to see which way you go in the future.

          The team is doing a fantastic job running the site and the infrastructure. Plus, being able to follow along somewhat with these updates is worth gold and, in my opinion, keeps with the stated nature of the site.

          --
          Money is not free speech. Elections should not be auctions.
    • (Score: 1) by pTamok on Monday August 08 2016, @06:07PM

      by pTamok (3042) on Monday August 08 2016, @06:07PM (#385397)

      That is a shame. I was hoping Devuan was going to be a way for GNU/Linux to avoid the systemd mess. A BSD is beckoning. Debian voting to embrace systemd seems to have been a watershed.