2022-02-15 | #security #kennedy
This is not the post where I where discuss how terrifyingly easy it is to find dozens of vulnerable capsules where you can read nearly any private file you would like from them, all thanks to the directory transversal security vulnerabilities that have been going around.
Accessing private files in a pubnix user's home directory
Robust Defence Against Directory Transversal attacks
Instead, this is the post where I discuss the challenge of trying to find contact information for dozens of vulnerable capsule owners.
As I mentioned in my initial post about a directory transversal vulnerability:
I am confident this issue will be resolved and I believe it can serve as a catalyst to discuss many positive things such as: A standardized way to find contact information for the owner of a capsule.
Public Service Announcement: Security vulnerability in gemini server software
That's because as soon as I saw how widespread some of the vulnerabilities were, I knew I would need to proactively contact some of these capsule owners about problem so they could fix it. Once upon a time the way to get contact info for a domain was to use WHOIS.
Alas, real contact information via WHOIS is a thing of the past thanks to gross scammy and spammy actors. So instead, to find contact information for ~50 different capsules I had to:
The result of this ad hoc approach sucked for 2 reasons:
The good news is this effort has somewhat worked. Within a few hours of emailing people today, I got 8 responses from capsule owners who had already updated their capsule software. Now if only in the future there was an easier way to find and contact people! Luckily, there is already a standard for specifying a point of contact for security issues: security.txt
Security.txt allows you to defines who to contact for security-related matters. It is geared towards websites, but can be used for gemini or even gopher as well.
To start, you put a UTF-8 text file at a well known location:
gemini://gemi.dev/.well-known/security.txt
The file is a simple list of "name: value" fields. The most basic security.txt looks like this:
# who should be contacted about security problems? Contact: mailto:acidus@gemi.dev
That's it. While There are a lot of additional fields, many are geared towards large commercial organizations, with options to specify security disclosure policies, bug bounties systems, etc. A few fields of security.txt may be useful for capsules, such as:
Sadly, the majority of capsules that were vulnerable 2 weeks ago are still vulnerable today. Best case, all 40% of capsule that I could email fix it, and maybe another 20-30% find out the problems via Antenna or Station in the next few weeks fix them as well. That still leaves about 30% of the capsules vulnerable.
If instead these capsules had had a security.txt file, the same script I wrote to scan Gemini space for these vulnerable capsules could have also automatically alerted them.
I understand that for some capsule owners, not have public contact information is a feature and not a bug. I also understand that many capsule owners don't want some hacker scanning their capsules, and they certainly don't want to be contacted about it. If you don't want that, I disagree, but understand. I respectfully suggest you take other steps protect yourself, like subscripting to mail listing or feeds for the software you use so you can watch for security updates.
For the rest of you, I sincerely ask you to include contact information in a security.txt file, so good hearted people can contact you if they discover a security problem.
Currently, only 5 capsules in all of Gemini space have a security.txt file. I added a feature to my Gemini search engine Kennedy, which shows known capsules using security.txt:
Looking at those is a great way to see what people are doing, and to copy them. It also allows us to track the adoption of security.txt by the Gemini community.
(Also, give Kennedy a try and help me make it a better search engine!)
