Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security.txt Standard Proposed, Similar To Robots.txt (bleepingcomputer.com)

Posted by EditorDavid on from the proposing-protocols dept.

An anonymous reader writes: Ed Foudil, a web developer and security researcher, has submitted a draft to the IETF — Internet Engineering Task Force — seeking the standardization of security.txt, a file that webmasters can host on their domain root and describe the site's security policies. The file is akin to robots.txt, a standard used by websites to communicate and define policies for web and search engine crawlers...

For example, if a security researcher finds a security vulnerability on a website, he can access the site's security.txt file for information on how to contact the company and securely report the issue. According to the current security.txt IETF draft, website owners would be able to create security.txt files that look like this:

#This is a comment
Contact: security@example.com
Contact: +1-201-555-0123
Contact: https://example.com/security
Encryption: https://example.com/pgp-key.tx...
Acknowledgement: https://example.com/acknowledg...
Disclosure: Full

18 of 86 comments (clear)

  1. HTML? by DontBeAMoran · · Score: 3, Informative

    There's going to be <a href>> tags in security.txt? No? Then don't make the links clickable in the fucking summary.

    --
    #DeleteFacebook
    1. Re:HTML? by Anonymous Coward · · Score: 2, Informative

      The Aspergers is strong in this one.

  2. Spam! by markdavis · · Score: 5, Insightful

    Yay! Zillions of more juicy Email addresses and phone numbers to collect and spam! Robots will sweep up all that data and hammer the "contacts" to death.

    1. Re:Spam! by wimg · · Score: 2

      Couldn't agree more ! This was exactly what I was thinking : the security contact address will be spammed so hard that it'll be hard to find the mails that should get through.

    2. Re:Spam! by Anonymous Coward · · Score: 5, Funny

      No, the security.txt file will be excluded from crawling via the robots.txt file

    3. Re:Spam! by fahrbot-bot · · Score: 3, Funny

      Yay! Zillions of more juicy Email addresses and phone numbers to collect and spam! Robots will sweep up all that data and hammer the "contacts" to death.

      Just exclude the "security.txt" file in the "robots.txt" file - problem solved. :-)

      --
      It must have been something you assimilated. . . .
    4. Re:Spam! by jmccue · · Score: 5, Funny

      For US sites, how about adding the Admin's SSN, their address and their Mother's Maiden names ? That way we can really know the file is genuine

  3. Here's my guess... by toonces33 · · Score: 2

    Tools will scour the web to find the contact email addresses, and spam the crap out of them with pitches for various "security" products.

  4. P3P redux by Donwulff · · Score: 3, Insightful

    It's almost like https://www.w3.org/P3P/ wasn't already a thing that died with a whimper 10 years ago. On the other hand, an almost syntax-free text-file might gain some more traction, even if I fail to see how that's actually useful over some "About" or "Contact" link on the website menu.

  5. Example by Artem+S.+Tashkinov · · Score: 2, Funny

    The example.com domain is getting abused again and again. I almost pity its owners.

    1. Re: Example by corychristison · · Score: 3, Informative

      Example.com is owned by IANA.

      This type of example is precisely what example.com is set up for, and is defined in RFC 2606.

  6. Non problem by whoever57 · · Score: 4, Insightful

    This is not a solution to any real problem.

    The problem is companies that don't want to hear about vulnerabilities. Those companies are unlikely to put up security.txt entries.

    "None so deaf as those that will not hear. None so blind as those that will not see." Matthew Henry.

    --
    The real "Libtards" are the Libertarians!
  7. Rewolve? by glitch! · · Score: 3, Funny

    ...who should be competent enough to get the information to a qualified person to rewolve the issue.

    Thanks for mentioning that. I totally missed the lycantrhopy part.

    --
    A dingo ate my sig...
    1. Re:Rewolve? by glitch! · · Score: 2

      ... And apparently I can't spell lycanthropy correctly the first time.

      --
      A dingo ate my sig...
    2. Re: Rewolve? by Desler · · Score: 2

      Not

      Using

      Line breaks

      Only

      Hitting

      Return.

      Works just fine here on iOS 10 with Safari.

  8. 20 Years Too Late. Whois Already Exists. by Anonymous Coward · · Score: 3, Insightful

    20 years ago this would have been a fantastic idea. In 2017, this is just another potential security hole. Spammers will scrape and hit those contacts hard.

    Also, as another pointed out, may offer little protection, since hackers can, presumably, can alter the security.txt file too. It's not even signed, so how would one know which is the correct one? Presumably, Google, Microsoft, Apple, etc could maintain a security.txt registry and monitor changes. Then flag such changes in web browsers that can do such lookups. That could help, but increases the complexity. Whois, while far from perfect, already provides much same functionality.

    Making contact easier is a worthy goal, but security.txt seems the wrong way to go about it.

  9. Minus 1 for stupidity by Anonymous Coward · · Score: 2, Insightful

    if a security researcher finds a security vulnerability on a website, he can access the site's security.txt file for information on how to contact the company and securely report the issue.

    This is based on the false assumption that websites actually care about security. 99.9% of all companies couldn't care less, as proven by the almost daily occurrence of breaches.

  10. Better idea by corychristison · · Score: 5, Interesting

    Here's a better idea:

    Put the security.txt above the server's Document Root. That way you'd actually have to hack/exploit the server to get at the security contact's information.