Security page

[steveklabnik]

We should really have a page up with a PGP key on it that goes to a small number of us, possibly just myself and one or two other people.

[colindean]

+1

What about something like security.txt? It'd be kinda like robots.txt, humans.txt, etc.

Or just whatever nonrevolutionary at something like /security or somesuch.

[steveklabnik]

Nobody will find security.txt.

It just needs to be at /security and linked from somewhere visibile, possibly the home page.

[wilkie]

Why would we ever put up a PGP key where only steve can read? Honestly, that makes no sense.

I'm glad this is a concern, but anyway, nobody is going to look at /security :) Nobody cares to. Just throw our PGP keys on /contact because that's where I'd expect them to be. Throw them on your online profiles for extra validation (something I should do.) People probably won't use them because... yeeeeeah. If people wanted to use them, they'd have asked for it. :'(

[steveklabnik]

Why would we ever put up a PGP key where only steve can read? Honestly, that makes no sense.

The point of a PGP key is to not send emails with vulnerabilities in plaintext. A key could be made and shared amongst 2 or 3 of us. That's the point.

I'm glad this is a concern, but anyway, nobody is going to look at /security

The first thing that happened when someone noticed the security issue with Rubygems.org was look for some sort of 'security' link, and when they couldn't find it, just went public rather than figure out who to contact.

I don't want that to happen to us, and we have had at least one big security issue in the past, though it was me that found it.

Putting it on /contact would be fine, too, but some sort of indication that "This is who you should send a security notice to."

[wilkie]

The point of a PGP key is to not send emails with vulnerabilities in plaintext. A key could be made and shared amongst 2 or 3 of us. That's the point.

Yep. So put our PGP keys on /contact ... although why people choose to go 'oh well, might as well email them anyway' if they know enough to look for a key instead of going 'hey, can I have your PGP key and some proof of identity please?' is beyond me. :(

The first thing that happened when someone noticed the security issue with Rubygems.org was look for some sort of 'security' link, and when they couldn't find it, just went public rather than figure out who to contact.

That was irresponsible of them, of course. Are we going to define convention because this person said they were looking for it? /contact is totally legit. It would be hard to say 'I couldn't find a way to securely contact them' when we have a contact page. I think it's fine and better to not have two places with contact info. Yanno?

I don't want that to happen to us, and we have had at least one big security issue in the past, though it was me that found it.

Wait. Since when did you find anything? Because I don't know about it if you did and I'd like to know these things. Here's what I know: Somebody emailed us about a checked in private key (your fault) and some user actions that weren't properly handled (that shit is forgivably hard.) And somebody else publicly announced an unsanitized user create that published passwords in plaintext. Although they all git blamed to steve, these things are more my fault than his because I should have reviewed them.

[steveklabnik]

So put our PGP keys on /contact

Totally, 100% cool. We just should have them.

although why people choose to go 'oh well, might as well email them anyway' if they know enough to look for a key instead of going 'hey, can I have your PGP key and some proof of identity please?' is beyond me. :(

Really, it's also an offensive PR thing: If someone discloses publicly, they cannot deny that they're being a jerk, since we have something public saying "please report here." If we don't, then we look like we don't care, and there's a plausible 'I didn't know what to do' story. And I care. :)

Are we going to define convention because this person said they were looking for it?

Every security person that I've talked to said that this is something they expect, and many web apps have one.

• http://37signals.com/security
• https://twitter.com/about/security
• https://github.com/security

I don't care about the URL, I just want anything that says "Please send stuff here." This is based on the recommendation of everyone I know that gets paid to do security work.

Since when did you find anything

I was referring to https://github.com/hotsh/rstat.us/issues/493 , my remembering of the situation was that I was doing something in the console, and saw my own password pop up. I guess that was when I was confirming that this was actually an issue, and it was someone else that reported it initially. I don't know of any other holes we have.

[jrgifford]

Any project with more than 20 users should have something like this. and that means everyone should have one. if its on /about, great, on /contact, great, it has to be there, and it needs to be visible.

And while I'm not paid to do security work, I much prefer /security. Just makes sense :tm:

[wilkie]

I agree with all of those things. :) Since we have a precedent that it is the three of us, we can put our (Steve, Carol, myself) PGP keys on the contact page. Let's not worry about sharing a private key because that's hard, and ensure that our PGP keys are secure. It will be our responsibility to resend the information to each other. If we want a single private key, we'd have to share an account on our dev server (which is totally for hotsh purposes) and use the principle email address. I don't want really to pass around a private key or rely on groupthink of "somebody else is probably checking this account." :D

I generated a new key today for my personal account for wilkie@xomb.org (4096 bit that expires in 3 months,) and I recommend that we all create a new key for this. Let's put our keys as static assets, link them on the contact page VERY clearly and list our fingerprints there and on our social profiles. Tell people that they should email at least two of us to make sure it is seen quickly (another reason for it being personal accounts.) I'm not opposed to a /security, but it may be confusing to also have a /contact page and I want to minimize the effort to find them.

That's my advice at least.

Overall. This is a good thing. :)

(Also, I'm glad that we were talking about the same thing, steve. I'd be a little ashamed if I couldn't list all of our mistakes off the top of my head. Good that I haven't missed any!)

(Also, is there SERIOUSLY an emoji :tm: for ™ :P so silly)

[jrgifford]

Expiring keys on such a short term is both smart and bad, but yay!

(And yes, there is. I wasn't looking for it, but when I saw it, I had to use it. :-) )

[wilkie]

Expiring keys on such a short term is both smart and bad, but yay!

Oh? It's generally best practice. It's certainly not bad if I remember to extend. And I'll do that in 3 months when my computer I use every day tells me. No biggie. :)

[jrgifford]

The politics of such a thing can be touchy - and really, it boils down to personal preference, and how seriously you take security. Anyway, neither here nor there.

[wilkie]

Well, this would be for generally quick conversations about security, in which case an assurance of key validity will go a long way (this key is under 3 months old.) That's the general thought, at least. This case in particular makes it seem most valid. These types of politics seem silly! :)

[steveklabnik]

I don't want really to pass around a private key or rely on groupthink of "somebody else is probably checking this account." :D

Sounds good. I'll generate one soon, too.

[steveklabnik]

Soon means in 15 minutes I guess: http://steveklabnik.com/security.html