Re: [Savannah-hackers-public] Memo: HTTP/2 support for Savannah (and probably *.gnu.org) and the blockers

[Jing Luo]

Ah Bob,

Please ignore what I said waaaay back. I didn't know what hosts use what 
web servers, and then Michael(?) told me once that "most of our systems 
use apache2".

> HTTP/2 brings more performance but also brings more vulnerabilities 
> too.

Yes, but my observation is that nginx has handled them pretty well. E.g. 
the "HTTP/2 rapid reset" vulnerability last October, the default 
settings in nginx already can mitigate this issue.

Speaking of performance, it matters the most when you are under various 
kinds of attack where some many things can go wrong. *.gnu.org may be 
small, but it's a high value target for crackers. HTTP/2 stream can 
reduce the number of connections. It would give a chance for legitimate 
users to connect IIUC when the servers are under ddos attack.

(wishlist) If not HTTP/2, maybe at least enable TLSv1.3 where OpenSSL 
supports it. Together with ssl_stapling on and ssl_prefer_sever_ciphers 
off, you can save at least 1 round trip per connection. The difference 
may not be obvious for youse guys in the US, but for anyone across the 
ocean, it will have noticeable difference. You may need to limit the 
ciphers like the standard certbot provided nginx config.

(not so wishlist) Therefore, HTTP/2 or not, I urge you to test the 
"reference nginx config" I shared on the private IRC channel (I forgot 
the paste bin address) :) Then we can discuss the fine tune detail of 
SSL, HTTP/2, etc.

--
Jing Luo
About me: https://jing.rocks/about/
PGP Fingerprint: 4E09 8D19 00AA 3F72 1899 2614 09B3 316E 13A1 1EFC

signature.asc
Description: OpenPGP digital signature