So, after 4+ years of using a plain http-based wiki, we have moved today
to a new, properly SSLed wiki server! It uses an SSL cert signed by a
StartSSL CA.
Even though the cert is signed by a 3rd-party CA, they haven't got
access to our private key -- they just signed our public key, I
generated in one of my many VMs.
However, the cert's private key is stored on the wiki server and is
accessible to anyone who:
1) Can compromise the server and gain root or kernel access there,
OR
2) To Amazon admins who can always read our VM server's memory (this is
always possible and requires no exploitable bug of any sorts).
In other words, always assume the bad guys/gov have compromised this
cert and/or the wiki server itself.
Also note that Qubes OS installation ISOs are *not* served from our wiki
server -- they are distributed via
sf.net[*] and we have absolutely no
control over what happens with them on
sf.net serves (either due to
their admins or attackers modifying them). Thus:
ALWAYS CHECK DIGITAL SIGNATURES ON DOWNLOADED ISO!
ALWAYS TRY TO OBTAIN QUBES MASTER KEY FINGERPRINTS FROM DIFFERENT SOURCES!
Also note that our git repos are also not served from our wiki server
either. Our git/gitweb server does not use SSL, however all the repos
use digital signing to assure code authenticity and integrity. Our
qubes-builder automatically attempts to verify these signatures on every
pull. This provides a significantly higher security than any SSL server
could provide, because the signatures are made on developer's computers
(in dedicated devel VMs), so the private keys are not stored on any 3rd
party server.
The same applies to updates for Qubes OS which are distributed as signed
rpm packages (also from non-SSLed server, whose security is irrelevant
thus).
So, there are few security benefits with this new SSLed server, but at
least it now Looks Nice (TM). Also it now provides for a somehow more
reliable way to get the Qubes Master Singing Key fingerprints (but not
much more reliable because of the lack of control over the server as
explained above).
However, the absolutely jaw-dropping new feature is HTML-based user
authentication and registration. No longer will we need to manually
update htpasswd via ssh whenever new wiki user is to be registered.
Today the users can register themselves via a Web form!
Of course, conservative as we are, we still don't allow just anybody to
register a usable account on Qubes Wiki. For this reason we have removed
the Registration link from the wiki. Of course people can still type in
the registration URL (which I even copy below) and register, but their
accounts won't get approved by us. So, in other words, please don't.
Please who used to have accounts on the old wiki server, are requested
to register using this link:
https://wiki.qubes-os.org/register
Please use the same username as on the old wiki and also please use the
same email address as the one you use to post on our mailing lists and
to which you once got invitation for wiki access. (Yes, I know,
authenticating people via ability to send and respond from a specific
email address is not a very strong one, so to say, but then again, it
should be good enough for our wiki, which is, as explained above, not
very security critical...).
The new wiki is available under the same URL, although https is now
enforced (if you access via old http:// paths those should be
automatically redirected to https://-ed ones).
https://wiki.qubes-os.org/wiki
You might need to wait for the DNS caches to update.
Cheers,
joanna.
[*] Arguably, while it might provide some security benefit to also serve
installation ISO from our now-properly-SSLed wiki server instead of from
sf.net, especially to the proverbial grandparents, we can't afford to
host it on our rented serves because of the high bandwidth costs, which
might easily go into thousands of $ per month.