IETF Logo Mail Archive

Re: [saag] Comments on draft-foudil-securitytxt-04

Paul Wouters <pwouters@redhat.com> Wed, 09 January 2019 00:39 UTC

Return-Path: <pwouters@redhat.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E635512D4ED for <saag@ietfa.amsl.com>; Tue, 8 Jan 2019 16:39:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9g_NaGlwc8K8 for <saag@ietfa.amsl.com>; Tue, 8 Jan 2019 16:39:31 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78FF8124408 for <saag@ietf.org>; Tue, 8 Jan 2019 16:39:31 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id CC658D792C; Wed, 9 Jan 2019 00:39:30 +0000 (UTC)
Received: from bofh7.nohats.ca (ovpn-204-54.brq.redhat.com [10.40.204.54]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7F5AF60BEC; Wed, 9 Jan 2019 00:39:29 +0000 (UTC)
To: Randy Bush <randy@psg.com>, Yakov Shafranovich <yakov@nightwatchcybersecurity.com>
Cc: "saag@ietf.org" <saag@ietf.org>
References: <MMXP123MB1423DD96BF73BBAE4AEAE121D3BE0@MMXP123MB1423.GBRP123.PROD.OUTLOOK.COM> <CAAyEnSOe3W5CZwajXk9qZk8vtiHC8P2AUOeP9atpr_6ZJtoLBw@mail.gmail.com> <LOXP123MB141659AE0F5B8D514A8F4CB5D3B20@LOXP123MB1416.GBRP123.PROD.OUTLOOK.COM> <48E913F3-59C7-4ED3-B742-CDE033453FBB@akamai.com> <ac942953-9820-c041-6f6c-726ef224e7d8@redhat.com> <13AA6D29-CC99-49B6-A671-BFD0E407C507@akamai.com> <2C5F7D9D-47A2-4665-9DC8-58C01A93351E@gmail.com> <m2zhscnw6c.wl-randy@psg.com> <BN6PR14MB11062151603BBCA7D5EBEC7783890@BN6PR14MB1106.namprd14.prod.outlook.com> <CAAyEnSP4iu3aN2KaXsZafTjWw=X6oiyd44a5bzpaAupLGCRJzQ@mail.gmail.com> <m21s5nofaa.wl-randy@psg.com>
From: Paul Wouters <pwouters@redhat.com>
Openpgp: preference=signencrypt
Message-ID: <1f05cbe4-7f06-3e7b-aaf3-f8cf71f6f392@redhat.com>
Date: Tue, 08 Jan 2019 19:39:27 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <m21s5nofaa.wl-randy@psg.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Wed, 09 Jan 2019 00:39:30 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/KpCUzzQE184ldt8bgDFSSlk1VwY>
Subject: Re: [saag] Comments on draft-foudil-securitytxt-04
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jan 2019 00:39:34 -0000

On 01/08/2019 01:05 AM, Randy Bush wrote:
>> This proposal is addressing item #3 - all it is providing is a simple
>> way for an organization to publish a security reporting policy on
>> their website in a standard, machine-parsable way, and stored in a
>> standard location. It is certainly not claiming to be more secure than
>> that approach, but at the same time it not less secure than publishing
>> this information on a website directly like it is done today.
> 
> https is pretty widely deployed.  most of the searches you enumerated
> are tls protected today.  this proposal goes against that for no good
> reason.  if this is not fixed, on last call i will stand with tim and
> just shoot the damned horse.

This does not make sense to me. If you are presenting security.txt for an HTTP
resource, it will naturally be served over HTTP, not HTTPS. The whole point
of this thing is that it is present on the resource itself, not somewhere else[.*]

If http://example.com is compromised, and you grab http://example.com/security.txt,
then whether the content of security.txt points to an HTTP or HTTPS resource is
meaningless.

You already lost on the initial unprotected download of security.txt (be it by
server compromise or active network attacker)

You can't have your horse and shoot it too.

Paul
[*] If you want the security of "somewhere else", you should have started to
look there in the first place.

v2.23.0 | Report a Bug | By Email