💾 Archived View for gemi.dev › gemlog › 2022-02-16-use-security.txt.gmi captured on 2023-09-28 at 15:50:00. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-01-29)

-=-=-=-=-=-=-

Why you should add security.txt to your capsule

2022-02-16 | #security #kennedy | @Acidus

This is not the post where I where discuss how terrifyingly easy it is to find dozens of vulnerable capsules where you can read nearly any private file you would like from them, all thanks to the directory transversal security vulnerabilities that have been going around.

Accessing private files in a pubnix user's home directory

Robust Defence Against Directory Transversal attacks

Instead, this is the post where I discuss the challenge of trying to find contact information for dozens of vulnerable capsule owners.

"I want to talk to your supervisor!"

As I mentioned in my initial post about a directory transversal vulnerability:

I am confident this issue will be resolved and I believe it can serve as a catalyst to discuss many positive things such as: A standardized way to find contact information for the owner of a capsule.

Public Service Announcement: Security vulnerability in gemini server software

That's because as soon as I saw how widespread some of the vulnerabilities were, I knew I would need to proactively contact some of these capsule owners about problem so they could fix it. Once upon a time the way to get contact info for a domain was to use WHOIS.

WHOIS Wikipedia article

Alas, real contact information via WHOIS is a thing of the past thanks to gross scammy and spammy actors. So instead, to find contact information for ~50 different capsules I had to:

The result of this ad hoc approach sucked for 2 reasons:

The good news is this effort has somewhat worked. Within a few hours of emailing people today, I got 8 responses from capsule owners who had already updated their capsule software. Now if only in the future there was an easier way to find and contact people! Luckily, there is already a standard for specifying a point of contact for security issues: security.txt

How to use Security.txt

Security.txt allows you to defines who to contact for security-related matters. It is geared towards websites, but can be used for gemini or even gopher as well.

To start, you put a UTF-8 text file at a well known location:

gemini://gemi.dev/.well-known/security.txt

The file is a simple list of "name: value" fields. The most basic security.txt looks like this:

# who should be contacted about security problems?
Contact: mailto:acidus@gemi.dev

That's it. While There are a lot of additional fields, many are geared towards large commercial organizations, with options to specify security disclosure policies, bug bounties systems, etc. A few fields of security.txt may be useful for capsules, such as:

Why you should add a security.txt

Sadly, the majority of capsules that were vulnerable 2 weeks ago are still vulnerable today. Best case, all 40% of capsule that I could email fix it, and maybe another 20-30% find out the problems via Antenna or Station in the next few weeks fix them as well. That still leaves about 30% of the capsules vulnerable.

If instead these capsules had had a security.txt file, the same script I wrote to scan Gemini space for these vulnerable capsules could have also automatically alerted them.

I understand that for some capsule owners, not have public contact information is a feature and not a bug. I also understand that many capsule owners don't want some hacker scanning their capsules, and they certainly don't want to be contacted about it. If you don't want that, I disagree, but understand. I respectfully suggest you take other steps protect yourself, like subscripting to mail listing or feeds for the software you use so you can watch for security updates.

For the rest of you, I sincerely ask you to include contact information in a security.txt file, so good hearted people can contact you if they discover a security problem.

Tracking adoption of security.txt

Currently, only 5 capsules in all of Gemini space have a security.txt file. I added a feature to my Gemini search engine Kennedy, which shows known capsules using security.txt:

Capsules with security.txt

Looking at those is a great way to see what people are doing, and to copy them. It also allows us to track the adoption of security.txt by the Gemini community.

(Also, give Kennedy a try and help me make it a better search engine!)

Kennedy, a Gemini search engine