-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update site-defaults.conf #5693
base: staging
Are you sure you want to change the base?
Conversation
updated security config
You have to add in Content-Security-Policy connect-src 'self' https://api.pwnedpasswords.com/range/ |
|
||
index index.php index.html; | ||
|
||
client_max_body_size 0; | ||
|
||
gzip on; | ||
#Disable gzip compression to avoid the BREACH attack |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there any source of this being actual in 2024?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://nginx.org/en/docs/http/ngx_http_gzip_module.html:
When using the SSL/TLS protocol, compressed responses may be subject to BREACH attacks.
So it must be sth. else that needs to mitigate that:
BREACH
The Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH) vulnerability is very similar to CRIME but BREACH targets HTTP compression, not TLS compression. This attack is possible even if TLS compression is turned off. An attacker forces the victim’s browser to connect to a TLS-enabled third-party website and monitors the traffic between the victim and the server using a man-in-the-middle attack. The BREACH vulnerability is registered in the NIST NVD database as CVE-2013-3587.
A vulnerable web application must satisfy the following conditions:
- Be served from a server that uses HTTP-level compression
- Reflect user input in HTTP response bodies
- Reflect a secret (such as a CSRF token) in HTTP response bodies (therefore values in HTTP headers, such as cookies, are safe from this attack).
Prevention
- Disable HTTP compression
- Separate secrets from user input
- Randomize secrets per request
- Mask secrets (effectively randomize by XORing with a random secret per request)
- Protect pages against CSRF
- Hide the length (by adding random numbers of bytes to responses)
- Limit the rate of requests
Source: https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/
Maybe the CSRF Token in /web is enough to mitigate?
https://github.com/search?q=repo%3Amailcow%2Fmailcow-dockerized%20CSRF&type=code
But in my opinion the saver way is to turn gzip off as also bandwidth isn't the main reason anymore
so loading would increase just slightly? (haven't done any testing)
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
Before it's getting closed - here's my opinion:
Is there any source where you get that ciphers list from? Another up-2-date method would be: echo "ssl_ciphers \"$(openssl ciphers -s '!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!ADH:!IDEA:!3DES:!CAMELLIA:!AESCCM:!ECDHE-RSA-CHACHA20-POLY1305:!DHE-RSA-CHACHA20-POLY1305:!RSA+AESGCM:!ARIA256-GCM-SHA384:!ARIA128-GCM-SHA256:!SHA1:!SHA256:!SHA384:HIGH@STRENGTH')\";" ssl_ciphers "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ARIA256-GCM-SHA384:DHE-RSA-ARIA256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ARIA128-GCM-SHA256:DHE-RSA-ARIA128-GCM-SHA256"; The
Note Note that configuring OpenSSL directly might result in unexpected behavior. Source: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_conf_command
Set
Seems to be fine - even if we need to set "unsafe-inline" @ script-src in Content-Security-Policy to make SOGo work.
It has to be:
otherwise you won't be able to load any external embedded graphics in mail. I don't know how many users will use gravatar but in my opinion it shouldn't be the default one.
And yes |
updated security config