Merge branch 'master' into contact-procedure-update

11 files changed, 117 insertions, 1 deletions

diff --git a/tracker/Allow_fripost_members_to_log_into_the_wiki_using_their_fripost_credentials.mdwn b/tracker/Allow_fripost_members_to_log_into_the_wiki_using_their_fripost_credentials.mdwn
new file mode 100644
index 0000000..43481a8
--- /dev/null
+++ b/tracker/Allow_fripost_members_to_log_into_the_wiki_using_their_fripost_credentials.mdwn
@@ -0,0 +1,3 @@
+Right now, it supports using google, yahoo and other companies (is anyone still using AOL???) but not fripost.
+
+I don't know if ikiwiki supports ldap but it seems to support OpenID so a way to implement this could be to have an openid identity provider at fripost.
diff --git a/tracker/CSP_too_strict.mdwn b/tracker/CSP_too_strict.mdwn
new file mode 100644
index 0000000..308754d
--- /dev/null
+++ b/tracker/CSP_too_strict.mdwn
@@ -0,0 +1,15 @@
+On firefox 45, remote images are not shown in the webmail because of the CSP:
+
+```
+Content Security Policy: The page's settings blocked the loading of a resource at https://sendy.nitrokey.com/uploads/1431348652.png ("img-src https://mail.fripost.org").
+```
+
+Oh wait, that's weird: it seems to block data-urls too:
+
+```
+Content Security Policy: The page's settings blocked the loading of a resource at data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw== ("img-src https://mail.fripost.org").
+```
+
+I'm not too excited about allowing browsers to load images from arbitrary sources, but [did it anyway](https://git.fripost.org/fripost-ansible/commit/?id=c90ae1fe9d40a0271844d321a7a54ee219735ccf) with the hope that roundcube's anti-XSS filter is good enough.
+I've also checked with the [Email Privacy Tester](https://emailprivacytester.com/) that other external resources blocked by the CSP are probably malicious.
+[[closed]]. -- [[guilhem]]
diff --git a/tracker/CSP_too_strict/comment_1_4156da3309262dc53fff06dbbbcbb30c._comment b/tracker/CSP_too_strict/comment_1_4156da3309262dc53fff06dbbbcbb30c._comment
new file mode 100644
index 0000000..ce90b13
--- /dev/null
+++ b/tracker/CSP_too_strict/comment_1_4156da3309262dc53fff06dbbbcbb30c._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ username="Grégoire"
+ avatar="https://seccdn.libravatar.org/avatar/5ed039572e7af206cbc97a7c59dcb0ad"
+ subject="Still a problem with http urls"
+ date="2016-04-08T09:50:11Z"
+ content="""
+Now some of the images work but not all. According to Firefox' console, http URLs are upgraded to https which may not work all the time.
+
+I don't know if it is possible but a better way to do this may be to use roundcube as a proxy for images and other inline content?
+"""]]
diff --git a/tracker/CSP_too_strict/comment_2_01c8f3bc631f9ddecb109455233d6f09._comment b/tracker/CSP_too_strict/comment_2_01c8f3bc631f9ddecb109455233d6f09._comment
new file mode 100644
index 0000000..c6df409
--- /dev/null
+++ b/tracker/CSP_too_strict/comment_2_01c8f3bc631f9ddecb109455233d6f09._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="guilhem"
+ avatar="https://seccdn.libravatar.org/avatar/86d6cb4bde1ef88730b14ccad0414c28"
+ subject="Further weakened the Content-Security-Policy"
+ date="2016-04-08T12:14:46Z"
+ content="""
+Alright, just [removed](https://git.fripost.org/fripost-ansible/commit/?id=e370313ad5895871479fffc922e3c72c0375dbf2) [`upgrade-insecure-requests`](https://www.w3.org/TR/upgrade-insecure-requests/#upgrade-insecure-requests) and [`block-all-mixed-content`](https://www.w3.org/TR/mixed-content/#block_all_mixed_content) from the CSP.  Again, with the hope that Roundcube's built-in filter is tight enough by default…
+"""]]
diff --git a/tracker/CSP_too_strict/comment_3_d0893142a031072c638d1e36b17aefe3._comment b/tracker/CSP_too_strict/comment_3_d0893142a031072c638d1e36b17aefe3._comment
new file mode 100644
index 0000000..3c53e3c
--- /dev/null
+++ b/tracker/CSP_too_strict/comment_3_d0893142a031072c638d1e36b17aefe3._comment
@@ -0,0 +1,12 @@
+[[!comment format=mdwn
+ username="Grégoire"
+ avatar="https://seccdn.libravatar.org/avatar/5ed039572e7af206cbc97a7c59dcb0ad"
+ subject="comment 3"
+ date="2016-04-08T13:30:16Z"
+ content="""
+I understand your frustration...
+
+I found that someone openned an related issue agains Roundcube about this almost exactly 2 years ago: [Image proxy #5099](https://github.com/roundcube/roundcubemail/issues/5099). It doesn't seem to be considered high prirority and I can understand as it's probably not an easy thing to get right.
+
+An other interesting way to fix this would be to have at tool that inlines all the images in an email (turn the remote images into data urls) which you would run on all incomming messages (maybe using sieve?). The only problem is that it might considerably blow-up the size of your mailboxes but given the benefits, it might be worth a try.
+"""]]
diff --git a/tracker/CSP_too_strict/comment_4_b794220c7ed0f1b16daf3dd2970644d8._comment b/tracker/CSP_too_strict/comment_4_b794220c7ed0f1b16daf3dd2970644d8._comment
new file mode 100644
index 0000000..144ef97
--- /dev/null
+++ b/tracker/CSP_too_strict/comment_4_b794220c7ed0f1b16daf3dd2970644d8._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="guilhem"
+ avatar="https://seccdn.libravatar.org/avatar/86d6cb4bde1ef88730b14ccad0414c28"
+ subject="comment 4"
+ date="2016-04-08T13:39:39Z"
+ content="""
+Would be nice to have such proxy, indeed.  Beside the mailbox overhead, another downside of the sieve hack is that this would invalidate all integrity checking such as DKIM or OpenPGP.
+"""]]
diff --git a/tracker/Install_keyboard_shortcuts_on_roundcube/comment_1_ae7383a784c52817db9238cd08d1847e._comment b/tracker/Install_keyboard_shortcuts_on_roundcube/comment_1_ae7383a784c52817db9238cd08d1847e._comment
new file mode 100644
index 0000000..26adcd6
--- /dev/null
+++ b/tracker/Install_keyboard_shortcuts_on_roundcube/comment_1_ae7383a784c52817db9238cd08d1847e._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="Grégoire"
+ avatar="https://seccdn.libravatar.org/avatar/5ed039572e7af206cbc97a7c59dcb0ad"
+ subject="Ping"
+ date="2016-12-16T12:03:52Z"
+ content="""
+😉
+"""]]
diff --git a/tracker/Public-Key-Pins_not_accepted_by_firefox.mdwn b/tracker/Public-Key-Pins_not_accepted_by_firefox.mdwn
new file mode 100644
index 0000000..d7245cc
--- /dev/null
+++ b/tracker/Public-Key-Pins_not_accepted_by_firefox.mdwn
@@ -0,0 +1,9 @@
+Still in firefox 45, I found this in the console on roundcube:
+
+```
+Public-Key-Pins: The certificate used by the site was not issued by a certificate in the default root certificate store. To prevent accidental breakage, the specified header was ignored.
+```
+
+I'm not sure why as Firefox does accept Let's Encrypt certificates otherwise...
+
+[[closed]]
diff --git a/tracker/Public-Key-Pins_not_accepted_by_firefox/comment_1_b4a4c48337c46bc9f2435fe6df8b382e._comment b/tracker/Public-Key-Pins_not_accepted_by_firefox/comment_1_b4a4c48337c46bc9f2435fe6df8b382e._comment
new file mode 100644
index 0000000..6a15cd2
--- /dev/null
+++ b/tracker/Public-Key-Pins_not_accepted_by_firefox/comment_1_b4a4c48337c46bc9f2435fe6df8b382e._comment
@@ -0,0 +1,33 @@
+[[!comment format=mdwn
+ username="guilhem"
+ avatar="https://seccdn.libravatar.org/avatar/86d6cb4bde1ef88730b14ccad0414c28"
+ subject="Unreproducible here (Firefox ESR 45.0.1)"
+ date="2016-04-07T16:32:37Z"
+ content="""
+Keys are properly pinned here 
+
+  1. Close the browser
+  2. Remove all mentions of `fripost.org` in `~/.mozilla/firefox/<profile>/SiteSecurityServiceState.txt`:
+
+        ~$ sed -i -r '/^(\S+\.)?fripost\.org:/d' ~/.mozilla/firefox/<profile>/SiteSecurityServiceState.txt
+        
+  3. Start the browser (without HSTS or HPKP knowledge for `fripost.org` or any of its subdomains)
+  4. Open `https://mail.fripost.org/` in a new tab
+  5. (After waiting a few seconds to let firefox flush the data.)  The 
+     HSTS policy and the two pins appear in the file:
+     
+        ~$ grep -E '^(\S+\.)?fripost\.org:' ~/.mozilla/firefox/<profile>/SiteSecurityServiceState.txt
+        mail.fripost.org:HSTS   0   16898   1475812232563,1,1
+        mail.fripost.org:HPKP   0   16898   1460047832565,1,0,SHfniMEapxeYo5YT/2jP+n+WstNaYghDMhZUadLlPDk=/Tt92H3ZkfEW1/AOCoGVm1TxZl7u4c+tIBnuvAc7d5w=
+        
+     There is no warning in the log, either.
+ 
+The root CA (*DST Root CA X3*) appear in Firefox's CA store as a \"Builtin Object Token\", while the intermediate CA (*Let's Encrypt Authority X3*) is supplied by the server and automatically stored by Firefox as a \"Software Security Device\".
+
+Do you have default settings for the `security.cert_pinning.*` [tunables](https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning)?
+
+    security.cert_pinning.enforcement_level = 1
+    security.cert_pinning.process_headers_from_non_builtin_roots = false
+
+Please also verify that you have no weird non-default tunables for `security.*`.
+"""]]
diff --git a/tracker/Public-Key-Pins_not_accepted_by_firefox/comment_2_1f3c32a22218d2a016f0bf97cc3f04b8._comment b/tracker/Public-Key-Pins_not_accepted_by_firefox/comment_2_1f3c32a22218d2a016f0bf97cc3f04b8._comment
new file mode 100644
index 0000000..85e2da6
--- /dev/null
+++ b/tracker/Public-Key-Pins_not_accepted_by_firefox/comment_2_1f3c32a22218d2a016f0bf97cc3f04b8._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ username="Grégoire"
+ avatar="https://seccdn.libravatar.org/avatar/5ed039572e7af206cbc97a7c59dcb0ad"
+ subject="Whoops, not your fault ;-)"
+ date="2016-04-08T13:00:11Z"
+ content="""
+I looked into it a bit more and it seems that it's a bug in Firefox in fedora (something to do with the nss library being different).
+
+Sorry about the noise.
+"""]]
diff --git a/tracker/use_proper_certificates_for_lists.f.o__044___wiki.f.o__044___and_git.f.o.mdwn b/tracker/use_proper_certificates_for_lists.f.o__044___wiki.f.o__044___and_git.f.o.mdwn
index 042a2d0..03a6f3d 100644
--- a/tracker/use_proper_certificates_for_lists.f.o__044___wiki.f.o__044___and_git.f.o.mdwn
+++ b/tracker/use_proper_certificates_for_lists.f.o__044___wiki.f.o__044___and_git.f.o.mdwn
@@ -1,3 +1,3 @@
 Maybe a certificate signed by [CAcert](https://wiki.cacert.org/) would be enough (unless the wiki is gonna be used to power the site...)
 
-[[Done]]. The certificates of [[our public services|https://fripost.org/certs/]] are now all issued by [[Let's Encrypt|https://letsencrypt.org]].
+[[Done]]. The certificates of [our public services](https://fripost.org/certs/) are now all issued by [Let's Encrypt](https://letsencrypt.org).