In the continuing saga of website tinkering and people's love of update posts, I'm back with some backend configuration changes. Right now, things have been relatively quiet on the backend side of things. We've got some good news, and some bad news in this update. That being said, we've made a few small updates over the weekend. Rapid fire style, let's go through them:
CAA Records
CAA records define which certificate authorities (CAs) are allowed to sign your domains. They essentially act as a CA whitelist, and the most recent revisions of the Certificate Authority/Browser Baseline Requirements mandates that CAs check for CAA records and respect them. In line with this policy, we've white-listed Let's Encrypt and Gandi's CAs to issue certificates for SoylentNews for the time being as these are the two CAs currently in use here.
In a fun bit of fail, this is the second time I've tried to deploy CAA, and fortunately managed to succeed this go around. The problem stems from the fact that many versions of BIND except the very latest don't recognize the "CAA" record type, and cause the zone file to not process correctly if it's present. As we're still using an older version of BIND as our master server, I had to manually create TYPE257 records as seen below:
soylentnews.org. 3586 IN TYPE257 \# 16 0005697373756567616E64692E6E6574 soylentnews.org. 3586 IN TYPE257 \# 22 000569737375656C657473656E63727970742E6F7267 soylentnews.org. 3586 IN TYPE257 \# 35 0005696F6465666D61696C746F3A61646D696E40736F796C656E746E 6577732E6F7267 soylentnews.org. 3586 IN TYPE257 \# 12 0009697373756577696C643B
Both htbridge.com and ssllabs.com show that the CAA records are properly encoded, and show an additional green bar that they're in place.
Postfix LogJam
Almost two years ago, the Logjam attack on the DH key exchange was discovered and publicized. As part of our general hardening of SoylentNews, we regenerated all the DH parameters to prevent logjam from being a viable attack vector. Unfortunately, we overlooked the mail STARTTLS services on mail.soylentnews.org, and only caught it when I was checking various security things. The DH parameter files have been regenerated. Under normal circumstances, Logjam can't be exploited unless the underlying SSL cipher is relatively weak. As part of previous hardening, we kicked SSLv3 and many insecure ciphers to the curb, but unfortunately RSA_CBC_IDEA was accidentally left in place as a valid protocol for STARTTLS transport. Based on my understanding of the logjam attack, 1024-bit ciphers like RSA_CBC_IDEA are still difficult to exploit, and its likely only a nation state could successfully have breached it.
Given only SN staff have mail accounts, and that users are encouraged to change their passwords after creating an account, I think its safe to assume that we're relatively OK as far as data security and integrity go since email in general at best is opportunistically encrypted, and should always be assumed to be monitor-able (via a STRIPTLS attack). That being said, if you haven't changed your password from account creation though, it's likely a good idea to do so now.
We discovered our IMAP server has been serving a self-signed certificate during this check as well. We'll be replacing this with a properly signed certificate within the near future. I have other things on this topic that will be noted in a future post, so keep a look out for that.
Disabling HTTP Methods
A routine check of the site's security headers showed that we were accepting HTTP TRACE and other methods we don't need on production. The configuration for nginx has been modified to put a bullet in this behavior. We're still checking to make sure we got this everywhere, but we should be good on at least the production servers for now. This has bumped the site security rating up to an A on the HTBridge; we're still missing the referral security header, but we need to check to make sure there's no user impact before deploying it.
3DES Put Out To Pasture
As always in the world of encryption, various algorithms eventually become insecure and weakened as cryptanalysis gets more and more advanced. A few months ago, the SWEET32 attack against 3DES was discovered which drastically weakens the security of 3DES via the birthday paradox problem. In practice, SWEET32 requires a second exploit to even be usable as SoylentNews only allowed 3DES connections as a last resort if AES wasn't supported. As every major browser has supported AES for years, we decided to put 3DES out to pasture and have removed it from the allowed list of ciphers for SN.
Not too much to note in this round of administration games, but we're working to make overhaul changes to the stack to allow the potential for HPKP key pinning in the near future, as well as deploying TLSA/DANE support for both HTTPS and SMTP on SN. As part of this process, we'll also be enabling HSTS across subdomains, and reissuing our SSL certificates to enable OCSP Must-Staple. We'll keep you guys updated as we move towards that goal!
~ NCommander
(Score: 0) by Anonymous Coward on Monday April 17 2017, @11:05PM (5 children)
As for A6 records, you really had to dig hard to find that one.
Sigh. Don't you mean, very funny, here's yer stinkin' A6 record.
soylentnews.org. 300 IN TYPE38 \# 17 0026003C0000000000F03C91FFFE98B8FE
(Score: 2) by NCommander on Tuesday April 18 2017, @02:04AM (4 children)
I had to look up the A6 specification to actually figure out if that would be valid. I'm not 100% sure the leading 00 is required. For a /128 A6 chain (which is what you defined), I think its just the pure address. That being said, that's not how you're supposed to use A6. With A6, I'd define the /64 part of the network that defines soylentnews.org like so:
(I'm not 100% sure this is right, but I'm not actually going to set up an old BIND to check my records)
soylentnews.org A6 64 2600:3c00::
soylentnews.org A6 64 ::f03c:91ff:fe98:b8fe
dev.soylentnews.org A6 64 ::f03c:91ff:fe6e:d0a3
As such, clients can build the full A6 chain, and if I need to renumber, I change the top half of the network address to make magic happen. A6 was only supported by BIND in both client and server forms, and never adapted wildly before the RFC was listed as historical.
Still always moving
(Score: 0) by Anonymous Coward on Tuesday April 18 2017, @04:32AM (3 children)
I use A6 records in real life, and yes, the prefix-length byte is mandatory.
The two simplest use cases are:
Prefix length 0. The A6 contains one IPv6 address. Equivalent to an AAAA record.
Prefix length 128. The A6 contains one hostname. Equivalent to a CNAME record.
Anywhere between these two extremes, the A6 must contain both a suffix address and a prefix name.
Your chain has to end at a prefix like so:
prefix.soylentnews.org. A6 0 2600:3c00::
soylentnews.org. A6 64 ::f03c:91ff:fe98:b8fe prefix.soylentnews.org.
dev.soylentnews.org. A6 64 ::f03c:91ff:fe6e:d0a3 prefix.soylentnews.org.
(Score: 2) by NCommander on Tuesday April 18 2017, @06:00AM (2 children)
What actually resolves A6 though and A6 is marked as historic. (Serious question)? Is there any actual advantages of using A6? At best, I can put A6 recorders for the full 128 address but that provides no advantage over AAAA. If I use chains as intended, then actually making a DNS lookup over IPv6 requires two round trips at minimum.
AAAA is the current standard, and as far as I can tell, Linux doesn't even check the A6 record type anymore.
Still always moving
(Score: 0) by Anonymous Coward on Tuesday April 18 2017, @08:12AM (1 child)
There isn't any advantage. A6 just looks cool.
(Score: 2) by NCommander on Tuesday April 18 2017, @06:39PM
... for that reason alone I'm sorta tempted to add them :)
Still always moving