IETF Logo Mail Archive

Re: [secdir] [Last-Call] Secdir last call review of draft-foudil-securitytxt-08

Paul Wouters <paul@nohats.ca> Tue, 31 December 2019 16:24 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 124E01201E3; Tue, 31 Dec 2019 08:24:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.995
X-Spam-Level:
X-Spam-Status: No, score=-1.995 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RHm4anAwWLJB; Tue, 31 Dec 2019 08:24:16 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB63A12022E; Tue, 31 Dec 2019 08:24:09 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 47nKPL5mQ4zDmr; Tue, 31 Dec 2019 17:24:06 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1577809446; bh=VYkA9lhmGcOcob4jLQcj40xT3IKojt/FznMDS5vM6kk=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=sVSqUVcgpXBsMXnBSeKA5zmDdbR2n76GVSXzgymSc6hu8jJkgjk9/lu8JJ9Pjv7lV ylUcx6mnRLcz72zbrrgSGgCeqpOzlHQbko5rxrNem3YLGQOmv6oVtrpLOgT6hrJw3h kBN1zRAeKoT7ymadOTgyxKA/ND4rXspBfu07dBQs=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id j8txqI6MRWIv; Tue, 31 Dec 2019 17:24:05 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 31 Dec 2019 17:24:04 +0100 (CET)
Received: from [10.168.12.4] (unknown [199.119.233.215]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id DA85460011A1; Tue, 31 Dec 2019 11:24:03 -0500 (EST)
Content-Type: multipart/alternative; boundary="Apple-Mail-8CCD600C-7638-48D7-BC5D-65B775AA0C1C"
Mime-Version: 1.0 (1.0)
From: Paul Wouters <paul@nohats.ca>
X-Mailer: iPhone Mail (16G102)
In-Reply-To: <31A49EAD-1399-4E1F-AFB2-D1743B8DC718@akamai.com>
Date: Tue, 31 Dec 2019 11:23:54 -0500
Cc: Rob Sayre <sayrer@gmail.com>, Tero Kivinen <kivinen@iki.fi>, "last-call@ietf.org" <last-call@ietf.org>, "draft-foudil-securitytxt.all@ietf.org" <draft-foudil-securitytxt.all@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <3BD71349-2298-4B5C-B422-EB7D563F833D@nohats.ca>
References: <157720267698.19361.11750709876624228448@ietfa.amsl.com> <CAChr6SwMxi9VULdF9MKcHNqZGwX6Rv-AB72MCq2_pDmi4X2jVw@mail.gmail.com> <31A49EAD-1399-4E1F-AFB2-D1743B8DC718@akamai.com>
To: "Salz, Rich" <rsalz@akamai.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/qP2m_h9VS8n-DIeBpZgaw2PHo8I>
Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-foudil-securitytxt-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Dec 2019 16:24:20 -0000


> On Dec 31, 2019, at 09:38, Salz, Rich <rsalz@akamai.com> wrote:
> 
> While the draft does spend some time describing the "Scope of the File", it doesn't address attacks against other parties using phone numbers or emails contained within the file.
>  
> Why is this file worse than any other file on any other web server on the Internet?

Because those files are not claiming to be authoritative about a security contact or report method, and can mislead.

If I am a hacker and I gain access, I will want to change this file so the real administrator isn’t notified. How does a security researcher know they aren’t the first to find a vulnerability with write access in the web root? They can’t trust the content, and machine parsing the content seems incredibly dangerous.

Removing or adding some text meant to hint to security researchers that they should not blindly trust this file basically defeats the whole purpose of the file. It just created +1 location for finding possible contact information. And actually more than one due to the whole “discovery” process described in the draft.

The idea is cute and I wish it would work. But it is just adding more dangerous work to the security researcher. Which is fine if that group wants this. But it also adds a new risk to administrators. I now need to check all these possible file locations for maliciously uploaded content that I never wanted to maintain in the first place. That is why I took the rare step of recommending this document is not published. It is unfortunately, potentially harmful to every administrator that is not aware of this document, and might lead to not being properly contacted when there is a security issue. (And if someone claims this is not a concern, than they also say this document isn’t needed at all)

Paul

v2.23.0 | Report a Bug | By Email