Internet.nl Score of news.ycombinator.com: No IPv6, DNSSEC, TLS1.3, RPKI ROA (opens in new tab)

(internet.nl)

3 pointsbwblabs2y ago3 comments

3 comments

3 comments · 1 top-level

bwblabsOP2y ago· 2 in thread

The news.ycombinator.com setup isn't really modern:

- no IPv6 address for the webserver

- no DNSSEC

- no RPKI ROA for webserver BGP routes

- use of TLS 1.0 and no TLS 1.3

- use of insecure* ciphers

- CSP with 'unsafe-inline' in script-src

When I see TLS 1.0 and no TLS 1.3, I assume there is a bit of legacy openssl or at least the configuration of it. Probably wise to update the config since modern browsers don't support TLS 1.0.

* based on NCSC-NL: https://english.ncsc.nl/publications/publications/2021/janua...

LinuxBender2y ago

Github.com receives a slightly better score [1]. I'm surprised we still consider DNSSEC to be a measurable factor in a sites security ranking. How long until that test is removed? We don't test for HPKP Public Key Pinning any more as adoption halted and many people removed it due to complexity traps that could cause outages. DNSSEC has been experiencing the same problems [2] making businesses hesitant to use it [3]. Ycombinator still gets an "A" for security headers [4]. At times HN gets pointed to AWS's CDN so that is perhaps a way to address the IPv6 short term until IPv6 addresses were added to HN's servers.

I can envision fintech eventually being regulated into adopting DNSSEC. For everyone else it would probably require better tooling and fail-safes.

[1] - https://internet.nl/site/github.com/2231928/

[2] - https://ianix.com/pub/dnssec-outages.html

[3] - https://blog.apnic.net/2021/11/26/adoption-of-dns-security-m...

[4] - https://securityheaders.com/?q=https%3A%2F%2Fnews.ycombinato...

jaclaz2y ago

>modern browsers don't support TLS 1.0.

Out of curiosity, did you need to use a non-modern browser to create this thread and post on it?

j / k navigate · click thread line to collapse

3 comments

3 comments · 1 top-level

bwblabsOP2y ago· 2 in thread

The news.ycombinator.com setup isn't really modern:

- no IPv6 address for the webserver

- no DNSSEC

- no RPKI ROA for webserver BGP routes

- use of TLS 1.0 and no TLS 1.3

- use of insecure* ciphers

- CSP with 'unsafe-inline' in script-src

When I see TLS 1.0 and no TLS 1.3, I assume there is a bit of legacy openssl or at least the configuration of it. Probably wise to update the config since modern browsers don't support TLS 1.0.

* based on NCSC-NL: https://english.ncsc.nl/publications/publications/2021/janua...

LinuxBender2y ago

Github.com receives a slightly better score [1]. I'm surprised we still consider DNSSEC to be a measurable factor in a sites security ranking. How long until that test is removed? We don't test for HPKP Public Key Pinning any more as adoption halted and many people removed it due to complexity traps that could cause outages. DNSSEC has been experiencing the same problems [2] making businesses hesitant to use it [3]. Ycombinator still gets an "A" for security headers [4]. At times HN gets pointed to AWS's CDN so that is perhaps a way to address the IPv6 short term until IPv6 addresses were added to HN's servers.

I can envision fintech eventually being regulated into adopting DNSSEC. For everyone else it would probably require better tooling and fail-safes.

[1] - https://internet.nl/site/github.com/2231928/

[2] - https://ianix.com/pub/dnssec-outages.html

[3] - https://blog.apnic.net/2021/11/26/adoption-of-dns-security-m...

[4] - https://securityheaders.com/?q=https%3A%2F%2Fnews.ycombinato...

jaclaz2y ago

>modern browsers don't support TLS 1.0.

Out of curiosity, did you need to use a non-modern browser to create this thread and post on it?

j / k navigate · click thread line to collapse