Here I am sneaking in some last minute updates before the end of the year. I know I just posted an update a few days ago, but I’ve implemented some additional improvements since then that I wanted to share.
First of all, and this is pretty cool I think, we’ve implemented HTTP Strict Transport Security for all GNOME domains that require SSL. For the end-user this primarily means bugzilla and tomboy-online. If you’re not familiar with HTTP Strict Transport Security, check out the spec here. Essentially what it does is has the web server send a specific header ‘Strict-Transport-Security’ to the client browser, including a TTL. This header value is stored and used by supported browsers (Chrome and Firefox 4 currently) which force the browser to connect directly on https on the next connection (more specifically, during the TTL time value). This means that once you’ve visited bugzilla and connected to it via SSL, any future connections inside that TTL time value will go directly to the SSL site and never touch the non-SSL. (Normally connections not explicitly connecting to https are redirected from http to https.)
I think this is a pretty cool security addition, and closes another sysadmin ticket!
Second, my main project for the day has been our monitoring system. It got some attention today by way of adding a few missed hosts as well as adding some remote checks for services. We’re now tracking the health of most of our mysql servers and watching a few new values such as load average, etc. I’ve also added checks to monitor the status of our SSL certificates. Currently these checks will start to alert us when the certificate is within two weeks of expiration.
Ohh, I also added a certificate to mail.gnome.org which previously didn’t have one. This now allows (but doesn’t yet require) secure connection to the mailing lists, archives and administration pages. I felt this was important given that credentials are passed between client and server for mailman list administration and queue management, which is another task myself and the Moderators team handle daily.
I think we’ve made some good progress this week and hopefully it sets a good precedent for the new year.