IETF Logo Mail Archive

Re: [secdir] SECDIR Review draft-koster-rep

tirumal reddy <kondtir@gmail.com> Thu, 23 June 2022 07:42 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF603C131814; Thu, 23 Jun 2022 00:42:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RJG5appP3ONd; Thu, 23 Jun 2022 00:42:23 -0700 (PDT)
Received: from mail-oi1-x22b.google.com (mail-oi1-x22b.google.com [IPv6:2607:f8b0:4864:20::22b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97428C131813; Thu, 23 Jun 2022 00:42:23 -0700 (PDT)
Received: by mail-oi1-x22b.google.com with SMTP id s124so24330030oia.0; Thu, 23 Jun 2022 00:42:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2xMo9xAg3Z/ku1r1amlRWQ4gbfJxLq/RA8gBU/vAMMg=; b=KvbH8WBxD96pbX9m+S0l7VFasO9msHfcW9mNdU81KtPWo1fATEMEWQicO7Nwi4nOhM uq9PPb6GpJ1E/zB7TNj+MNm7+9EaTx90PFJThMzcO29XYFs0XD8+7HyM76f6jEQ9oemh OFcTf+11sYNScsR32TOf0Pyo6PmFtjpt5wkEw1642qVnahGMitSFqdvXHBBc6jmGN0SC tncPlTunzjRApwqcdzX+JdlAp46awV+4/f6TT72tmOewPPuBoLElTs4tDgVjQO+rheX7 updihcI/EboDNvKrM2KNsuqmzO7fKmcWFTvPei4u3HbZZDMBWB67FNY7uEhHvZPZ8plC BqJQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2xMo9xAg3Z/ku1r1amlRWQ4gbfJxLq/RA8gBU/vAMMg=; b=DK0Y7G9OxRPYKnwBHuESHMuKpcf7bbpovo5slWiUlgzZ01X5SNow3/7Aq7fJA6rdRX Vl6ZVLL67+0yuIwCUxQ9QSydjZsZmC8FdF0bLxoc6v0cGxxL/teTvlkyth74w2go7Udy VhIkN3uH1PLYPVRwpVkInqFVggzuX5RlYtWI+Tjf+oRmHQNQKcM8fJINy/96zkk5qik1 rIijd8EXwIbohfYYkfg1AjtAj0wD6Cnuk9PosoayyFBVKO3UWoEfI21vw/L0lt+zNtB1 Sue0pF7ugPEI3nVgH1WRHsAuEphyKb3VOaA19WxG4fWBfsLsF5zJfqp7+w4UrKD2lZdN 0kjw==
X-Gm-Message-State: AJIora+52cQ1DyxXlDbFvolH/iIaLQAgglzDSEMfFEI1Rj9kZ3UDM2NH 67jvepQaRNexN9eUxoh0EdKMOCDZx60DTTkBkrc=
X-Google-Smtp-Source: AGRyM1tmX6zqht2v05iCvWlQrPsMAplGU1ca+fY3tSDCg6oKsKdJY8haV1AkcbRD6KEm/cSRGXSoCIgEosZW+TXO/A4=
X-Received: by 2002:a05:6808:4b:b0:335:2eb0:c226 with SMTP id v11-20020a056808004b00b003352eb0c226mr580445oic.113.1655970142425; Thu, 23 Jun 2022 00:42:22 -0700 (PDT)
MIME-Version: 1.0
References: <CAFpG3gex3r1PH8xV7RTNESXbe+JyphzimrCggNH+X0KLPkaiCw@mail.gmail.com> <CADTQi=cd-EsOnpHMi7ZQ3YvGc4qOfgG=+cTsDziqEjETvg1DaQ@mail.gmail.com>
In-Reply-To: <CADTQi=cd-EsOnpHMi7ZQ3YvGc4qOfgG=+cTsDziqEjETvg1DaQ@mail.gmail.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Thu, 23 Jun 2022 13:12:11 +0530
Message-ID: <CAFpG3gfiZhjk43wrpUHo+jmDHN24bbx8RxKdBZ8eX7mapQm0Pw@mail.gmail.com>
To: Gary Illyes <garyillyes@google.com>
Cc: secdir@ietf.org, The IESG <iesg@ietf.org>, draft-koster-rep.all@ietf.org
Content-Type: multipart/alternative; boundary="00000000000019163d05e21898e8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/vIKzYcJErFqO61Yzt0z5nybIFWo>
Subject: Re: [secdir] SECDIR Review draft-koster-rep
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jun 2022 07:42:25 -0000

On Wed, 22 Jun 2022 at 21:06, Gary Illyes <garyillyes@google.com> wrote:

> Thanks Tiru!
>
> I updated our public repository with your suggestions and a diff of the
> changes can be seen at
> https://github.com/google/robotstxt/commit/a048272f9091570db556cf3656b6d33250797bba
>
> Specifically on point c) we added a new paragraph with a list of vectors
> related to implementors based on a conversation we had with our security
> team. On point a) and b) we restated that robots.txt is not a security
> measure whatsoever and folks should employ a valid security measure such as
> IP based ACL
>

Thanks Gary, changes look good to me. Are there better security measures to
refer to than the IP based ACL (IP reputation is challenging with IPv6
addresses and the IP address can possibly be spoofed) ?

-Tiru


>
> On Mon, Jun 20, 2022 at 1:51 PM tirumal reddy <kondtir@gmail.com> wrote:
>
>> SECDIR Review draft-koster-rep
>>
>>
>> Reviewer: Tirumaleswar Reddy
>> Review result: Ready with Issues
>>
>>
>>
>> I have reviewed this document as part of the security directorate's
>>
>> ongoing effort to review all IETF documents being processed by the
>>
>> IESG..  Document editors and WG chairs should treat these comments
>>
>> just like any other last call comments.
>>
>>
>>
>> You may want to discuss the following security threats:
>>
>>
>>
>> a) Revealing disallowed URIs will make its paths easily discoverable.
>> However, security by obscurity will not maintain or increase the security
>> of the content provider (you can refer to
>> https://datatracker.ietf.org/doc/html/rfc4949).
>>
>> b) A malicious crawler will not honor the disallow rules and can try to
>> access the disallowed URIs, it should be mitigated by access control
>> restrictions. Discuss any other count-measures used to block such malicious
>> crawlers (like blocking the IP address).
>>
>> c) Attacks possible on crawlers because of a malicious robots.txt file.
>>
>>
>> Cheers,
>>
>> -Tiru
>>
>

v2.23.0 | Report a Bug | By Email