search

TokTok / c-toxcore

The future of online communications.
https://tox.chat
GNU General Public License v3.0
2.25k stars 284 forks source link

Create a secure way to disclose vulnerabilities #876

Open tox-user opened 6 years ago

tox-user commented 6 years ago

Please create some email address, that multiple developers would have access to, for disclosing vulnerabilities in Tox and put it in the footer of tox.chat along with a PGP public key or key fingerprint. Then educate the developers to give that address to people who want to let us know they found a vulnerability. The address could be for example: security@tox.chat. Also create a guide on the wiki that would describe the process of responsible disclosure.

nurupo commented 6 years ago

for disclosing vulnerabilities in Tox

By "Tox" do you mean just TokTok/c-toxcore or every single Tox-related project under the sun: toxcore, qtox, utox, toxygen, ricin, toxic, antox, antidote, binding developers, website maintainers, etc.?

nurupo commented 6 years ago

If it's not just for TokTok/c-toxcore, I would argue that it's better to have per-project PGP keys and contact information. You need to realize that there are a lot of Tox-based projects, so handing a single PGP secret key to developers of all those projects and subscribing them to receive vulnerability disclosures not only of their, but also of all all other projects doesn't sound like a good idea. There would easily be 15-50 developers who would have the PGP key and access to the mailbox. Assuming none of the developers are malicious, it would take someone to hack just one developer to get access to all vulnerability disclosures of all Tox-related projects, since all of them use the same key and the same mailbox. Or someone malicious could start developing something Tox-related to legitimately get access to all vulnerability disclosures of all Tox-related projects.

I think its the responsibility of each Tox-based project to handle vulnerability disclosures on their own. We could setup a wiki page for developers to add their own public keys/fingerprints and contact information and direct people who want to report vulnerabilities to that, with an option to PGP-email to security@tox.chat if that wiki page doesn't work out for them for any reason. What do you say about that?

If you meant just TokTok/c-toxcore, a single Tox project, then yes, that's a good idea.There are about 2 active toxcore developers that I'd trust with vulnerability disclosure info on toxcore: iphy and robinli, so they could share a single PGP key between each other and we could setup a email forwarder at security-toxcore@tox.chat which would forward everything to their emails. Alternatively, since there are just 2 of them anyway, it also sounds reasonable enough to ask anyone disclosing TokTok/c-toxcore vulnerabilities to PGP-encrypt their email for 2 different keys and send to it to 2 mailboxes -- iphy's and robinli's.

tox-user commented 6 years ago

By Tox I meant the official toxcore (currently toktok/c-toxcore), but I see no reason to not include the main website as well (it could be a separate address). I agree that every other project needs to create their own methods. A wiki page sounds like a good idea, but remembering to update all that information (emails and PGP keys) might be difficult.

Two people for handling vulnerabilities seems not enough. What if one of them is away and another forgets to check their email for some time? It definitely can't rely on just one person, but it also can't be too many people. I think a team of 5 people would be good.

Having to send the same email to more than place is not very convenient, so there is a possibility that people would only send it once. So it might be better to always have only one email address for each project.

nurupo commented 6 years ago

Two people for handling vulnerabilities seems not enough. What if one of them is away and another forgets to check their email for some time? It definitely can't rely on just one person, but it also can't be too many people. I think a team of 5 people would be good.

Well, there are only about 2 toxcore maintainers now. Should we wait until we have at least 5 toxcore before considering accepting vulnerability disclosures?

Having to send the same email to more than place is not very convenient, so there is a possibility that people would only send it once. So it might be better to always have only one email address for each project.

Pretty sure you can specify more than one email in the To: field quite conveniently, in most email clients you can copy-paste foo@example.com, bar@emaple.com just as conveniently as a single foo@example.com. Using a single email address makes it the single point of failure, e.g. what if our mail server goes down, gets ddosed or one way or another becomes mis-configured?

SkyzohKey commented 6 years ago

nurupo: I'd like to help handling security disclosure as I am almost h24 available by mail. ;)

emdee-is commented 7 months ago

This request is still relevant today, >5 years later. But there's something implicit in the request

Please create some email address, that multiple developers would have access to, for disclosing vulnerabilities in Tox and put it in the footer of tox.chat

Implicit in the request is that tox.chat is secure and mainatined by the secure developers.

@nurupo Is tox.chat maintained? There's an awful lot of out of date stuff one it.

@iphydf Do more than one developers have write and manage privs on the site+domain, or does the whole site get taken down or frozen if just one person leaves the project without notice?