Re: [Last-Call] Secdir last call review of draft-foudil-securitytxt-08

Paul Wouters <paul@xxxxxxxxx> · Tue, 31 Dec 2019 11:23:54 -0500

On Dec 31, 2019, at 09:38, Salz, Rich <rsalz@xxxxxxxxxx> wrote:

While the draft does spend some time describing the "Scope of the File", it doesn't address attacks against other parties using phone numbers or emails contained within the file.

Why is this file worse than any other file on any other web server on the Internet?

Because those files are not claiming to be authoritative about a security contact or report method, and can mislead.
If I am a hacker and I gain access, I will want to change this file so the real administrator isn’t notified. How does a security researcher know they aren’t the first to find a vulnerability with write access in the web root? They can’t trust the content, and machine parsing the content seems incredibly dangerous.

Removing or adding some text meant to hint to security researchers that they should not blindly trust this file basically defeats the whole purpose of the file. It just created +1 location for finding possible contact information. And actually more than one due to the whole “discovery” process described in the draft.

The idea is cute and I wish it would work. But it is just adding more dangerous work to the security researcher. Which is fine if that group wants this. But it also adds a new risk to administrators. I now need to check all these possible file locations for maliciously uploaded content that I never wanted to maintain in the first place. That is why I took the rare step of recommending this document is not published. It is unfortunately, potentially harmful to every administrator that is not aware of this document, and might lead to not being properly contacted when there is a security issue. (And if someone claims this is not a concern, than they also say this document isn’t needed at all)

Paul
-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call