Comments (5)
EdOverflow
commented on July 30, 2024
Hi @jskiba99,
This is a valid concern and thank you for raising this issue. Currently my thought is to work together with different companies in the industry to make this work. Essentially we could solve many problems (#14) with an external service/index that monitors security.txt files. Several companies have volunteered to be in charge of this and I hope that we can open source a tool that monitors security.txt files at some point to allow others to follow suit.
I would love to hear your thoughts on this and do you have any other suggestions/possible solutions?
from security-txt.
nightwatchcyber
commented on July 30, 2024
Would allowing a PGP or S/MIME signature for the security.txt file help here? Combined with some sort of DNS-based (like DANE) or web based PKI, it may be possible to verify the signature then.
from security-txt.
nightwatchcyber
commented on July 30, 2024
We also should clarify what the thread model is and what can happen if the file is compromised or forged. I assume if that happens, the attacker can now start collecting security reports about a domain and can hone their attacks further.
Good example of this modeling discussion can be found in the ACME protocol that is used by LetsEncrypt:
https://tools.ietf.org/html/draft-ietf-acme-acme-07#section-10
It also seems from ACME that HTTP challenges are good enough of a proof to issue SSL certificates. If the level of threat is the same as here, then maybe authentication may not be as important.
One more idea to throw out - we can also require or recommend that "security.txt" files be always loaded over a valid TLS connection. Not sure if that will actually work in real life.
from security-txt.
rhymeswithmogul
commented on July 30, 2024
I like the idea of requiring security.txt be loaded over HTTPS, but a lot of small companies rely on cheap Web hosting that only supports HTTP. To ensure the widest adoption, I think the next draft of the RFC should read "security.txt SHOULD be loaded over HTTPS" rather than "MUST be loaded."
With that in mind, having some kind of second factor to authenticate the security.txt file would be a great enhancement. There could be a line such as PGP-Signature: <url> for detached signatures, or the RFC could be amended to allow for inline signatures, with something along the lines of, To allow security.txt to be cryptographically signed with PGP, user agents MUST ignore any lines not in the 'Thing: Value' format.
from security-txt.
EdOverflow
commented on July 30, 2024
This issue has been resolved in 53931bd. The section still needs a lot of work, but the general idea is already there.
from security-txt.
Related Issues (20)
- Defer file systems work to future date HOT 3
- Aligning ISO and CERT language with the draft
- Consider clarifying whether Encryption should point directly to the key HOT 1
- Example of a signed "security.txt" file Header is Missing Hyphen HOT 1
- detached signatures (allow multiple people to sign the security.txt)
- Support distinct policies: bug bounty and external vuln disclosure HOT 3
- Should the datetimes use an ISO8601 profile? HOT 2
- Add a link to the human and machine readable security advisories HOT 7
- Permitted values of Acknowledgments field? HOT 3
- Review my security.txt HOT 4
- Use /.well-known/humans.txt URI instead? HOT 1
- Scope field HOT 9
- Specify allowed encryption schemes HOT 15
- This project appears dead, should someone fork it? HOT 3
- SSH signatures as an alternative to OpenPGP ones HOT 3
- Clarification for Canonical field HOT 2
- @sirathampitak
- Checksum, hashing and notification HOT 2
- A simple field that company can use to share about the last security-related update being introduced ? HOT 4
- a one-off annual cycle check is impossible within exactly one year
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
š Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ššš
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ā¤ļø Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from security-txt.