Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Security The Internet

Security.txt Standard Proposed, Similar To Robots.txt (bleepingcomputer.com) 86

An anonymous reader writes: Ed Foudil, a web developer and security researcher, has submitted a draft to the IETF — Internet Engineering Task Force — seeking the standardization of security.txt, a file that webmasters can host on their domain root and describe the site's security policies. The file is akin to robots.txt, a standard used by websites to communicate and define policies for web and search engine crawlers...

For example, if a security researcher finds a security vulnerability on a website, he can access the site's security.txt file for information on how to contact the company and securely report the issue. According to the current security.txt IETF draft, website owners would be able to create security.txt files that look like this:

#This is a comment
Contact: security@example.com
Contact: +1-201-555-0123
Contact: https://example.com/security
Encryption: https://example.com/pgp-key.tx...
Acknowledgement: https://example.com/acknowledg...
Disclosure: Full

This discussion has been archived. No new comments can be posted.

Security.txt Standard Proposed, Similar To Robots.txt

Comments Filter:
  • HTML? (Score:4, Informative)

    by DontBeAMoran ( 4843879 ) on Saturday September 16, 2017 @01:52PM (#55210459)

    There's going to be <a href>> tags in security.txt? No? Then don't make the links clickable in the fucking summary.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      The Aspergers is strong in this one.

  • by TFlan91 ( 2615727 )

    Hell, I'll be implementing that Monday morning for a couple servers, screw waiting for the standard.

    • You left a couple of things out: #I'llGetRightOnThat /sarcasm
      • by Anonymous Coward

        if a security researcher finds a security vulnerability on a website, he can access the site's security.txt file for information on how to contact the company and securely report the issue.

        This is based on the false assumption that websites actually care about security. 99.9% of all companies couldn't care less, as proven by the almost daily occurrence of breaches.

        • by arth1 ( 260657 )

          if a security researcher finds a security vulnerability on a website, he can access the site's security.txt file for information on how to contact the company and securely report the issue.

          This is based on the false assumption that websites actually care about security. 99.9% of all companies couldn't care less, as proven by the almost daily occurrence of breaches.

          It is based on the false assumption that the ones looking up the security.txt file would be people with your best interest in mind, and not spammers and telemarketers who want to sell you security products, or black hats looking for contacts to spearfish.

  • Spam! (Score:5, Insightful)

    by markdavis ( 642305 ) on Saturday September 16, 2017 @01:57PM (#55210481)

    Yay! Zillions of more juicy Email addresses and phone numbers to collect and spam! Robots will sweep up all that data and hammer the "contacts" to death.

  • by toonces33 ( 841696 ) on Saturday September 16, 2017 @01:59PM (#55210491)
    Tools will scour the web to find the contact email addresses, and spam the crap out of them with pitches for various "security" products.
    • by Anonymous Coward

      Yep. Will happen. Besides, unnecessary. Whois entry already has contact info (if it's correct and maintained). If necessary, perhaps a line could be added to the Whois info? And maintenance is the issue: better to have it in one place.

    • even worse than that, the goddamn telemarketers will be all over the phone number.

  • by Anonymous Coward

    How long until root kits are updated to change the contact info to look like lolz@yeahnope.com and the phone number of some random Equifax branch office? -PCP

  • P3P redux (Score:4, Insightful)

    by Donwulff ( 27374 ) on Saturday September 16, 2017 @02:11PM (#55210551)

    It's almost like https://www.w3.org/P3P/ wasn't already a thing that died with a whimper 10 years ago. On the other hand, an almost syntax-free text-file might gain some more traction, even if I fail to see how that's actually useful over some "About" or "Contact" link on the website menu.

    • by AmiMoJo ( 196126 )

      It's extremely useful. If you see this file with contact details, you know that you have a legal defense if they try to sue you for pointing out their crap security.

      • It's extremely useful. If you see this file with contact details, you know that you have a legal defense if they try to sue you for pointing out their crap security.

        That's an argument for why you want them to do it, not why they should want to do it.

        • by AmiMoJo ( 196126 )

          If they care about security it helps them. If they don't, it's absence warns people to do anonymous disclosure.

      • by Donwulff ( 27374 )

        The issue I pointed out wasn't that this wouldn't be useful, but that P3P is a W3C officially recommended protocol/standard started 20 years ago that already does this but much better. However, it never really caught on, and I suspect one main reason is companies don't really want accountability. For the legal defense, the only solution would be a law unequivocally granting immunity if you disclose a vulnerability in responsible manner. A security.txt file isn't worth the paper it's printed on (ie. none) in

  • Example (Score:3, Funny)

    by Artem Tashkinov ( 764309 ) on Saturday September 16, 2017 @02:12PM (#55210557)
    The example.com domain is getting abused again and again. I almost pity its owners.
  • Non problem (Score:5, Insightful)

    by whoever57 ( 658626 ) on Saturday September 16, 2017 @02:17PM (#55210577) Journal

    This is not a solution to any real problem.

    The problem is companies that don't want to hear about vulnerabilities. Those companies are unlikely to put up security.txt entries.

    "None so deaf as those that will not hear. None so blind as those that will not see." Matthew Henry.

    • On the contrary, standards are super important. If not having a security.txt was considered as negligence by the courts, you'd find many companies needing to add them in order for certifications or to not face crazy damages in the case of a breach. An objective, easy standard like security.txt makes that significantly more likely than anything that requires technical expertise.

      Further, it will lead to standardized/codified standards to respond and cascade in that manner.

      • On the contrary, standards are super important.

        Where I live often seems as if standardizing the size and shape of check boxes is what's most important.

        If not having a security.txt was considered as negligence by the courts

        More likely companies would be afraid to add security.txt for fear its presence represents implicit permission/cover to hack/probe.

        Researchers already face legal risks simply for reporting what they innocently stumble upon. Personally I would only report site vulnerabilities anonymously and probably not even that.

        You'd find many companies needing to add them in order for certifications or to not face crazy damages in the case of a breach.

        My own opinion this is much more likely to end up being yet another joke nobody quite gets

    • Bang on!

      Security, proper, I mean proper proper, as in 'I say it to my Master, he does not beat me with a stick for being stupid' proper...

      Proper security does not, and cannot, assume that they other lot are abiding by any sort of social convention. Anything less is 'faux security' and, while very marketable, is worse than nothing.

      The only laws hackers must abide by are those of physics and mathematics, and only then when physics and mathematics are done properly.

  • by Anonymous Coward on Saturday September 16, 2017 @02:29PM (#55210645)

    20 years ago this would have been a fantastic idea. In 2017, this is just another potential security hole. Spammers will scrape and hit those contacts hard.

    Also, as another pointed out, may offer little protection, since hackers can, presumably, can alter the security.txt file too. It's not even signed, so how would one know which is the correct one? Presumably, Google, Microsoft, Apple, etc could maintain a security.txt registry and monitor changes. Then flag such changes in web browsers that can do such lookups. That could help, but increases the complexity. Whois, while far from perfect, already provides much same functionality.

    Making contact easier is a worthy goal, but security.txt seems the wrong way to go about it.

    • by Ash-Fox ( 726320 )

      20 years ago this would have been a fantastic idea.

      Wrong. 20 years ago, we would have said "use WHOIS records".

  • Better idea (Score:5, Interesting)

    by corychristison ( 951993 ) on Saturday September 16, 2017 @04:28PM (#55211113)

    Here's a better idea:

    Put the security.txt above the server's Document Root. That way you'd actually have to hack/exploit the server to get at the security contact's information.

  • 1. The WHOIS database normally carries an abuse email address. 2. This does SFA for port scans, email abuse or other abuses not hosted on an web server.
    • by Anonymous Coward

      Isn't it obvious? It doesn't involve http so it might as well not exist, as far as "full stack developers" are concerned. Reinventing the wheel badly is what computing is all about.

      Yes, whois was invented exactly for this sort of thing. Indeed, this proposal is in no way an improvement over the existing infrastructure.

      Also, a pox on the editors for linking bleepingcomputer and not the IETF. But this seems to be the gold standard in "web" also.

      Honestly, everyone who does understand what whois is for ought to

  • how about whois + dns - oh wait we already have it
  • Shouldn't there be a !DONTHACKMEBRO! directive?
  • Step 1. Add a file security.txt to your web server containing your contact information.

    Draft itself has an obvious security hole.

    Section 4:
    " As stated in Section 2.4, keys specified using the "Encryption:" directive SHOULD be loaded over HTTPS."

    There is no suggestion anywhere in the draft security.txt be served over a secure transport rendering section 4 suggestion for reference to public key be secure moot.

  • The problem is that they don't want to hear about it. You want to see some change? Promote whichever existing security advisory system is most ruthless about disclosure, and send everyone there to announce everything they discover.

  • I hope this gets update to comply with RFC 5785 [ietf.org]. There are far too many people inventing "special" URLs at the root level of sites, which are likely to clash with pages that already exist. RFC 5785 says that such URLs should be like http ://example.org/.well-known/security.txt instead of http ://example.org/security.txt . That way, they won't clash with existing pages. RFC 5785 also defines a registry for these URLs, to avoid the situation where two specs define different meanings for the same URL.

In space, no one can hear you fart.

Working...