sks-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Sks-devel] HKP and HSTS

From: Alain Wolf
Subject: [Sks-devel] HKP and HSTS
Date: Sun, 17 May 2015 17:03:09 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi all

I don't suppose that a lot of people a affected by this. But it doesn't
look nice so I had to do something about it. Maybe some of you are
interested.

If the domain of your keyserver has strict HSTS enabled it may create a
problem for browsers accessing the HTML interface of your keyserver on
the SKS port.

If a modern browser is directed to a website on a non-standard TCP port
in a HSTS enabled domain, the browser will attempt to initiate a TLS
connection on that port, even if the URL starts with http:// and not
https://. If the TLS handshake subsequently fails, an error page is
displayed to the user and thats it then.

So users visiting our keyservers web-interface on port 11371 will be
greeted with a security error message.

This behavior may seem strange but its currently the only way of
ensuring security. The browser MUST enforce HSTS but also has no secure
way to learn about or assume on what other presumably non-standard TCP
port number, he could attempt a secure connection.

The problem and and decisions made on how to handle it are described in
this blog post by Andy Steingruebl:
http://securityretentive.blogspot.ch/2010/11/quick-clarification-on-hsts
- -http-strict.html

I noticed this when I tried to click on the links of some SKS servers on
the pool status pages. i.e. http://keyserver.mattrude.com:11371/ or my
own http://pgpkeys.urown.net:11371/

As a workaround I installed sslh
(http://www.rutschle.net/tech/sslh.shtml) on my keyserver. It listens on
TCP port 11371 and tries to sniff out the protocol used and forwards the
connection either to port 11371 or 443 on the localhost address where
Nginx is listening.

sslh is available in the Ubuntu, Debian, SUSE and Fedora software
package repositories.

My /etc/sslh.cfg file:

- -------------<snip>-------------
#
# sslh configuration for HKP OpenPGP keyservers
#

verbose: false;
foreground: false;
inetd: false;
numeric: true;
timeout: 2;
user: "sslh";
pidfile: "/var/run/sslh.pid";

# List of interfaces on which we should listen
listen:
(
    { host: "192.0.2.37"; port: "11371"; },
    { host: "2001:db8::37"; port: "11371"; }
);

# List of protocols
protocols:
(
     { name: "http"; host: "127.0.0.37"; port: "11371"; probe: "builtin"
; },
     { name: "https"; host: "127.0.0.37"; port: "443"; probe: [ "" ]; }
);

# Fallback protocol
on-timeout: "http";
- -------------<snip>-------------

Of course you have to tell Nginx not to listen on port 11371 on the
those IPs and listen on 127.0.0.37 instead.


Regards

Alain
-----BEGIN PGP SIGNATURE-----

iQF8BAEBCgBmBQJVWK2tXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBNTEwNjBDN0RBNDY3QzM3OTVCQkREMUJG
MDhEOUJERDEzMDg2MTEzAAoJEPCNm90TCGETHU4H/0qhvXl1qBe8X24pxwb2BKKM
H9qttx5e2qO/s++ghZQ1UjGU34sDwHVERoqJbSf8Ip8q5LWPJ2bxkDQgwswmMe/l
xKcVsIccUdOiAdrYIQC96SxMdxJv2lE5zh+MRsGiMc4yQWwX/VXcxN7THAPxmtTn
rb9yr+g8jMfbvMe4pzL2DJL9NHggNNCN1CZKUI0pn5BEYD3Z4DdBlpH6tC5jAvAk
TI9KbEVdRIYKvHDpZ+7nn+SiXqIM6H4Tix0ji+piCofjG4C+QM+UJjpfIeXuXfBn
HLHKyDbR2oiO9RQikXc1wGqfmstRw7UAXc0GucHRRDqkLXQ64ZHywX7dnx79QpY=
=DP8H
-----END PGP SIGNATURE-----
reply via email to
[Prev in Thread] Current Thread [Next in Thread]