On Wed, Dec 11, 2019 at 10:26:37AM -0500, Paul Wouters <paul@xxxxxxxxx> wrote a message of 77 lines which said: > To report issues with compromised servers, don't depend on the > compromised servers. Use DNS or WHOIS/RDAP as that is more > independent of the web servers. As Yakov Shafranovich explained, the goal is to report vulnerabilities, not compromises. And if you fear that the attacker is already inside, this is also true for the DNS (remember the Middle-east hijackings at the end of 2018) and even for Whois/RDAP. Nothing is perfectly secure. > Some will assume people look at this new location for secure > data. Some will assume it secure. They are wrong, the draft is crystal-clear here, specially section 6.1. Yes, some people won't read the RFC but it is true for every RFC. > Also, if I look at the practical way of contacting large > organisations about things, people already have a good set of > patterns, and I am not convinced this problem needs solving Your experience here does not match mine, and it doesn't match the experience of all the people who asked for such as draft, because they were frustrated by the inability to contact a knowledgeable person. My own experience is that there is not a perfect solution: we use whois, DNS SOA, personal contacts, official organisations like ANSSI in France, and sometimes rants on Twitter. I reported many security or other technical issues in my career and: > 1) Using twitter. Those twitter accounts are acively monitored by people > who can reach the right person for the right issues. I have a very > high success rate contacting Fortune500 companies this way. I had some success with Twitter, too, but also many failures. Not to mention the lack of privacy. > 2) Using the About or Contact page on the company website. I wonder if we live in the same world. This is probably the worst solution. (My favorite: I reported a security issue, with copy/paste of the HTTP exchange, and I was asked to provide a screenshot...) > 3) Use LinkedIn. Instead of using the "Hiring" field in a security.txt file > on a company's webserver, people will use LinkedIn, or the company's > Jobs page or About page. Even for security issues, contacting someone > of the company at Linked In might give a more reliable contact that > is independent of the entity's web or mail servers that might be > compromised. Using Microsoft does not seem much better than using Twitter, privacy-wise. > Only a handful of geeks will ever look at this new .well-known location > with quickly diminishing returns. A few paragraphs before, you said that too many people will use security.txt... -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
