Are we allowed to set our mirrors with ssl enabled? I think Let's Encrypt is one of the greatest technologies ever so I used their Certbot tool to enable ssl on our mirror.
Sent from my iPhone
On 14/01/17 16:20, Ryan Nix wrote:
Are we allowed to set our mirrors with ssl enabled? I think Let's Encrypt is one of the greatest technologies ever so I used their Certbot tool to enable ssl on our mirror.
Hi,
Having TLS on even mirror.centos.org was evaluated, but because we still have CentOS 5 yum clients, we decided to wait until it disappears (soon). Starting from 6, yum can handle https fine, even through redirect.
At your personal mirror, you can do whatever you want, but keep in mind that the old perl crawler script we use behind http://mirror-status.centos.org *doesn't* support https at the moment. So you can enable it, but not enforce it, otherwise, your mirror wouldn't be validated and so would be removed from yum mirrorlists (until we rewrite it completely, which is also a *very* good idea)
Some other mirrors have TLS enabled but it's just that it's not listed on https://www.centos.org/download/mirrors (for the reason mentioned above)
Cheers,
Ok, I'll disable the enforced redirect.
Sent from my iPad
On Jan 17, 2017, at 1:34 AM, Fabian Arrotin arrfab@centos.org wrote:
On 14/01/17 16:20, Ryan Nix wrote: Are we allowed to set our mirrors with ssl enabled? I think Let's Encrypt is one of the greatest technologies ever so I used their Certbot tool to enable ssl on our mirror.
Hi,
Having TLS on even mirror.centos.org was evaluated, but because we still have CentOS 5 yum clients, we decided to wait until it disappears (soon). Starting from 6, yum can handle https fine, even through redirect.
At your personal mirror, you can do whatever you want, but keep in mind that the old perl crawler script we use behind http://mirror-status.centos.org *doesn't* support https at the moment. So you can enable it, but not enforce it, otherwise, your mirror wouldn't be validated and so would be removed from yum mirrorlists (until we rewrite it completely, which is also a *very* good idea)
Some other mirrors have TLS enabled but it's just that it's not listed on https://www.centos.org/download/mirrors (for the reason mentioned above)
Cheers,
-- Fabian Arrotin The CentOS Project | http://www.centos.org gpg key: 56BEC54E | twitter: @arrfab
CentOS-mirror mailing list CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
Dear Ryan,
I am curious...
which advantages did you intend to get out of the redirect?
imho doesn't offer any increase in security at all:
1) The packages are signed, so their integrity is protected.
2) Confidentiality of the request is already broken before the redirect.
3) MITM/Downgrade can already happen there.
So unless HTTPS becomes standard delivery method or HSTS is honored, this is a moot exercise anyway that just leads to lower performance.
If HTTPS becomes the standard delivery method, against which CA base will certificates be checked? Having signed packages already solves this problem nicely and at the most convenient layer.
Please don't get me wrong... generally I think enabling TLS is a great idea, but in this case I'm doubtful of the benefit.
Kind regards AS250.net CDN OPS
The performance hit is negligible, especially for someone like Northwestern that is part of Internet2. We also have a SSD drive pushing the bits on the mirror. Personally, there is no reason not to use SSL wherever possible, especially with Let’s Encrypt being free and automated. There is a reason Google gives preferential rankings to sites that use SSL. Yes, there are checksums on the CentOS ISOs and packages, but how many people actually do that after a download? Using SSL reduces the need to checksums.
On Jan 17, 2017, at 7:52 AM, cdnops@as250.net wrote:
Dear Ryan,
I am curious...
which advantages did you intend to get out of the redirect?
imho doesn't offer any increase in security at all:
The packages are signed, so their integrity is protected.
Confidentiality of the request is already broken before the redirect.
MITM/Downgrade can already happen there.
So unless HTTPS becomes standard delivery method or HSTS is honored, this is a moot exercise anyway that just leads to lower performance.
If HTTPS becomes the standard delivery method, against which CA base will certificates be checked? Having signed packages already solves this problem nicely and at the most convenient layer.
Please don't get me wrong... generally I think enabling TLS is a great idea, but in this case I'm doubtful of the benefit.
Kind regards AS250.net CDN OPS _______________________________________________ CentOS-mirror mailing list CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
Actually,
If a master mirror gets hacked, and an ISO replaced, the modified copy will be rsync'd to the mirrors. So, it's still in people's best interests to (even if downloading over SSL) checksum the ISO
-L
On 18/01/2017, at 2:38 PM, Ryan Nix ryan.nix@gmail.com wrote:
The performance hit is negligible, especially for someone like Northwestern that is part of Internet2. We also have a SSD drive pushing the bits on the mirror. Personally, there is no reason not to use SSL wherever possible, especially with Let’s Encrypt being free and automated. There is a reason Google gives preferential rankings to sites that use SSL. Yes, there are checksums on the CentOS ISOs and packages, but how many people actually do that after a download? Using SSL reduces the need to checksums.
On Jan 17, 2017, at 7:52 AM, cdnops@as250.net wrote:
Dear Ryan,
I am curious...
which advantages did you intend to get out of the redirect?
imho doesn't offer any increase in security at all:
The packages are signed, so their integrity is protected.
Confidentiality of the request is already broken before the redirect.
MITM/Downgrade can already happen there.
So unless HTTPS becomes standard delivery method or HSTS is honored, this is a moot exercise anyway that just leads to lower performance.
If HTTPS becomes the standard delivery method, against which CA base will certificates be checked? Having signed packages already solves this problem nicely and at the most convenient layer.
Please don't get me wrong... generally I think enabling TLS is a great idea, but in this case I'm doubtful of the benefit.
Kind regards AS250.net CDN OPS _______________________________________________ CentOS-mirror mailing list CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
CentOS-mirror mailing list CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
I don't disagree with that assertion at all, however, i'm curious to know what percentage of people actually run a checksum after they've downloaded an ISO or package. At any rate, the let's encrypt SSL certs are a nice feature to have it would be great to use them on the mirrors.
Sent from my iPad
On Jan 17, 2017, at 7:40 PM, Levi Pihema-Lindsay levi@2prointl.co wrote:
Actually,
If a master mirror gets hacked, and an ISO replaced, the modified copy will be rsync'd to the mirrors. So, it's still in people's best interests to (even if downloading over SSL) checksum the ISO
-L
On 18/01/2017, at 2:38 PM, Ryan Nix ryan.nix@gmail.com wrote:
The performance hit is negligible, especially for someone like Northwestern that is part of Internet2. We also have a SSD drive pushing the bits on the mirror. Personally, there is no reason not to use SSL wherever possible, especially with Let’s Encrypt being free and automated. There is a reason Google gives preferential rankings to sites that use SSL. Yes, there are checksums on the CentOS ISOs and packages, but how many people actually do that after a download? Using SSL reduces the need to checksums.
On Jan 17, 2017, at 7:52 AM, cdnops@as250.net wrote:
Dear Ryan,
I am curious...
which advantages did you intend to get out of the redirect?
imho doesn't offer any increase in security at all:
The packages are signed, so their integrity is protected.
Confidentiality of the request is already broken before the redirect.
MITM/Downgrade can already happen there.
So unless HTTPS becomes standard delivery method or HSTS is honored, this is a moot exercise anyway that just leads to lower performance.
If HTTPS becomes the standard delivery method, against which CA base will certificates be checked? Having signed packages already solves this problem nicely and at the most convenient layer.
Please don't get me wrong... generally I think enabling TLS is a great idea, but in this case I'm doubtful of the benefit.
Kind regards AS250.net CDN OPS _______________________________________________ CentOS-mirror mailing list CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
CentOS-mirror mailing list CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
CentOS-mirror mailing list CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
-
cdnops@as250.net -
Fabian Arrotin -
Levi Pihema-Lindsay -
Ryan Nix