Opened 2 years ago

Last modified 6 weeks ago

#20319 needs_revision defect

set HPKP headers on onionoo

Reported by: weasel Owned by: tpa
Priority: Medium Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Normal Keywords:
Cc: karsten Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description


Child Tickets

Attachments (4)

security.conf (2.4 KB) - added by sainslie 23 months ago.
security.conf.sig (543 bytes) - added by sainslie 23 months ago.
default.vcl (252 bytes) - added by sainslie 23 months ago.
default.vcl.sig (543 bytes) - added by sainslie 23 months ago.

Download all attachments as: .zip

Change History (11)

comment:1 Changed 2 years ago by karsten

Cc: karsten added

Please let me know if I need to do anything here.

Changed 23 months ago by sainslie

Attachment: security.conf added

Changed 23 months ago by sainslie

Attachment: security.conf.sig added

comment:2 Changed 23 months ago by sainslie

Status: newmerge_ready

Hash: SHA1

I implemented it.


Version: GnuPG v1

iQIcBAEBAgAGBQJZEQwBAAoJEM18vpeSzTzCQ4YQALDBYQQOnVfw7EL5KxzLOrBc
GgbLeC3ya1uh/5y0JC+3fBQS03Mjt057U7jPaJUbvYp3wdv4i8kWI2FwEI2kdD1y
bNjDKLJVEm1nLrDTK7Ns7Jn5tWbOk6ERC43ahrl8TVuqr6tSMgn00pUkkiYbQnql
ks7jS9Ev1R30s8WF41v65ooFcrCR2n4PykLAQAugEpc2USz8B+jdx6pNs8HO5XC6
615fLEHx+oSHCUzvOF6kAb/M0Ec3ZpEBlMPLNFQyYCZBTdeUCziQ1mH7wLB8wKef
27PfwKnU7NM1WeH80M94if5QbE3rg3pkDkvHsxDzmfOGosF9glEpdInW1Dx1PhHE
itaVM/I9LXTydtQICYn6WSRxUIVcga5oIJHo8xBDUacNLUX2WebEeuq2327M7WGY
Xb+p4igk4Wo5GJDnMNgxAWjLicmo86oo5ej4d9eIhy2biHIiexiAoLOgJfdvTAIr
qKwWxJ/85Dqz3H9ibhOtvT556UY4xak40a+ghZTFMNebTyDtCBl4b0BjTgx6TErT
UhPbQmFB+lRshlDZx98ZUc/VgMnR8yRdiDiJ+V3ORoIzjtNWYymYdoUhdDb6DPeS
FtzSNJTq6eRorlEpH4tOKMihJTyEPOf6gluOCyZflBZJPP6M4fCNnL6VpvCaj0+P
sJxy5rqiEB2iCiRiX88L
=V4sg


comment:3 Changed 23 months ago by weasel

Thanks for trying to help, sainslie, but apache is not anywhere in that stack.

comment:4 in reply to:  3 Changed 23 months ago by sainslie

Replying to weasel:

Thanks for trying to help, sainslie, but apache is not anywhere in that stack.


Hash: SHA512

I rebuilt it using Varnish Configuration Language.


iQIcBAEBCgAGBQJZEiv4AAoJEM18vpeSzTzCEtcP/0mqLYFErb1wSTYCSt/Jp6GU
c3jzlDUZGgHr+CbnX2aEq835ZCpwYY8lIClFMagBrMMGRk2iveupflfmMzUTzSOd
x98y5J+0DcPEG3pw9wcBNUbzXmHZRL0845vXTYSTI2x94hTO6x/S7NwDEOFVxeaX
++w3BodCUJq8q0CBqD/fbEgTNJTm33PW2/tVh1f2hNJZGySh1YcyEznrn/5etQ/o
OPce0kl4icsvd5dtJuShaDry1dtx1JUQlLWQ0jCj1gg/D9OWGjHyE7ETpE+/J98f
40tDCc5w6xw4G2mBMzJsdmTqPWPfm6W3VkpiW26BtqAfpZ+LiSrs1YEFrZ7dOWWp
xJw+bT/ieAEriU2dYAH7unK+++x2Eo4USF0DEwIHQM6Q9vALrKn5PZQRG74v+BsC
p2kp069K/er7QJGSesCLacexFE4wekdjH47VAzHC9OLn4WW2sV/oI3Spug0HfgDq
eHijK/OUoU0guiwS8YgLYVUVn7Hl5qqUxz9UiN/CDCqtT+k4PkJWH1LlaQF5zOFW
UzB46jx/fY39NpwDJicVPlEdfswRrBJXomdzDrB4Qdfb3w6hA0vf3iHxptFD/Jm9
KdjdtZRevtNmzflJHDrWIZqG2KT/Ssi2C3b2nI9IjOlCtMoXtrwD9xEr9E0dABri
alTZ3FfoUXa4W6OLMHuD
=CT4N


Changed 23 months ago by sainslie

Attachment: default.vcl added

Changed 23 months ago by sainslie

Attachment: default.vcl.sig added

comment:5 Changed 23 months ago by weasel

Status: merge_readyneeds_revision

Unfortunately, again, not useful. We don't want to hardcode keys in the varnish config. This needs to come out of config management that knows the key and backup key hashes. It seems unlikely you can help in this matter, and all you're doing here is make the ticket noisy and useless.

comment:6 Changed 6 weeks ago by qbi

Google Chrome is about to remove it from their next releases: https://www.chromestatus.com/feature/5903385005916160
and HKPK has a quite low adoption rate. So I wonder if we should close it as wontfix. What do others think?

comment:7 Changed 6 weeks ago by weasel

I'm leaning towards agreement, but wonder if this also means we should retire HPKP everywhere else too.

Note: See TracTickets for help on using tickets.