New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create a threat model for security.txt. #112

Open
EdOverflow opened this Issue Jun 27, 2018 · 2 comments

Comments

@EdOverflow
Member

EdOverflow commented Jun 27, 2018

While we have had discussions in other tickets concerning potential attack vectors against security.txt files, I think it would be a good idea to create one document listing all sorts of things that could wrong with security.txt files. This would allow us to easily keep an overview of the the potential problems that we need to tackle and then eventually we can include it in the "Security Considerations" section of the Internet draft.

We need to come up with some ideas such as the ones listed in https://edoverflow.com/2018/logic-flaws-in-wot-services, and see how we can prevent them.

@EdOverflow

This comment has been minimized.

Member

EdOverflow commented Jun 27, 2018

I created a submission form: https://securitytxt.org/challenge.

@joker314

This comment has been minimized.

joker314 commented Aug 27, 2018

As with the Keybase issues, any parsers should be careful of someone redirecting from security.txt to another site.

For example, urlshortener.example.com/memorablePhrase could become urlshortener.example.com/security.txt.

Should security.txt files be allowed to redirect to external sites? Maybe we should tell parsers that they should make notes of any redirects and display them to the user?

EDIT: I'm confused how I unassigned someone by posting a message? Maybe GitHub changed the maximum number of assignees allowed and when I posted a comment, GitHub recalculated?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment