Opened 15 months ago

Last modified 7 months ago

#25131 needs_review enhancement

Add a security.txt file to torproject.org

Reported by: teor Owned by:
Priority: Medium Milestone: website redesign
Component: Webpages/Website Version:
Severity: Normal Keywords:
Cc: dmr Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

security.txt files give people the information they need to contact Tor when they find a security issue.

It's an IETF draft, and Google has done it, so maybe we should too:
https://securitytxt.org/

We can use the existing information at:
https://www.torproject.org/about/contact#security

And we might want to:

  • add a PGP key file
  • add a signature
  • maybe add a policy or acknowledgements when we decide how they work

Child Tickets

TicketTypeStatusOwnerSummary
#2259enhancementnewerinnThe "new ticket" page should contain good advice on how to write good tickets.
#5489taskassignednickmWrite up a "how to report bugs and security issues, and what happens then" post or FAQ
#27421defectnewTor security policy
#27422defectclosedRemove signature line from security.txt
#27423defectnewSign security.txt
#27424defectclosedRemove hiring line from security.txt
#27458taskneeds_reviewsecurity.txt: Add acknowledgments page to honour our security researches

Change History (17)

comment:1 Changed 13 months ago by hiro

Milestone: website redesign

comment:2 Changed 8 months ago by traumschule

Status: newneeds_review

Open for discussion:
https://github.com/torproject/webwml/pull/9
(not to be merged until fully adopted, see checklist in description)

comment:3 Changed 8 months ago by dmr

Cc: dmr added

comment:4 Changed 8 months ago by traumschule

Status: needs_reviewnew

This got merge although the links in security.txt do not yet point to useful information, also it is missing a signature.

  • Policy: the current security policy is a draft and should be published in a (signed) blog post (#5489) and linked from https://torproject.org/about/contact#security
  • Signature: File is missing. Should it be signed with the deb.torproject.org archive signing key (8B904624C5A28654E4539BC2E135A8B41A7BF184)?
  • Hiring: it could help the Torproject to always have an open position for security researchers

Who's willing to adopt this ticket?

comment:5 Changed 8 months ago by traumschule

Summary: Add a security.txt file to torproject.orgSign security.txt

comment:6 in reply to:  4 Changed 8 months ago by teor

Replying to traumschule:

This got merge although the links in security.txt do not yet point to useful information, also it is missing a signature.

That's not the Tor Project's security policy. It's the network team security policy.

We need to work out a security policy that covers all of Tor first:
See https://trac.torproject.org/projects/tor/ticket/13968#comment:27

Please open another ticket for this issue.

  • Signature: File is missing. Should it be signed with the deb.torproject.org archive signing key (8B904624C5A28654E4539BC2E135A8B41A7BF184)?

I don't understand what the Debian archive has to do with the security policy.
I suggest we use the tor-security list key, or some other key that many people trust.

Also, how did this patch get merged without a signature?
Please open a ticket to remove the signature line, because it looks broken.

Then, please open a ticket to get it signed.
(Please don't change the titles of tickets to a different task, that's confusing. And integers are cheap.)

  • Hiring: it could help the Torproject to always have an open position for security researchers

Tor security researchers typically work for universities or similar organisations, or are freelance, or are volunteers.
Since we don't have open security-related jobs, please open a ticket to remove the hiring line.

Also, Tor doesn't always have positions open in any category.

Changing this part of Tor is best done by talking to HR, the executive director, or the affected teams. It really isn't a good topic for a trac ticket.

Who's willing to adopt this ticket?

If you open separate tickets for each task, different people might adopt those tasks.

comment:7 Changed 8 months ago by traumschule

Thanks for the review.

Also, how did this patch get merged without a signature?

I guess it was merged without reading the PR description or the according ticket.

If you open separate tickets for each task, different people might adopt those tasks.

Done.

comment:8 Changed 8 months ago by traumschule

Summary: Sign security.txtAdd a security.txt file to torproject.org

(Please don't change the titles of tickets to a different task, that's confusing. And integers are cheap.)

Changing it back.

comment:9 Changed 8 months ago by traumschule

Status: newneeds_review

comment:10 Changed 8 months ago by teor

I am confused by the commits in this pull request. It looks like some of them have already been merged to master?

It looks like you tried to add a commit called "rebase".
Instead, please rebase the branch onto master, and open a new pull request with the result.

Here are my comments on the original commit to the contact page:

I don't understand what the "acknowledgements" are.

The network team security policy is *not* the security policy for the whole of Tor.

The link to .well_known/security.txt is blank. Does that work?

comment:11 Changed 8 months ago by teor

Status: needs_reviewneeds_revision

comment:12 Changed 8 months ago by traumschule

(learned something: I used the already merged branch securitytxt, added the commit and did 'git rebase master'. So all commits got a new hash. Instead I need to deleted the merged branch, checkout -b securitytxt and add the commit there.)

I don't understand what the "acknowledgements" are.

This is something the securitytxt people came up with: https://tools.ietf.org/html/draft-foudil-securitytxt-04#section-3.4.1
Basically a place to honour the work of former / current security researchers. I created #27458 for it.

The network team security policy is *not* the security policy for the whole of Tor.

Yes, the current link does not make much sense. I propose to make up a (wiki?) path like TorSecurityPolicy? to be filled later. It probably should also appear on WikiStart#OfficialTorLinks.

The link to .well_known/security.txt is blank. Does that work?

Got me. The whole PR was WIP and I did not expect it to be merged at this stage.

Last edited 8 months ago by traumschule (previous) (diff)

comment:13 Changed 8 months ago by traumschule

Status: needs_revisionneeds_review

push -f, so same link: https://github.com/torproject/webwml/pull/39

The original PR had some more info on the concept:
https://github.com/torproject/webwml/pull/9

comment:14 in reply to:  12 Changed 7 months ago by teor

Replying to traumschule:

The network team security policy is *not* the security policy for the whole of Tor.

Yes, the current link does not make much sense. I propose to make up a (wiki?) path like TorSecurityPolicy? to be filled later. It probably should also appear on WikiStart#OfficialTorLinks.

Ok, but you can't link to a blank policy. That's confusing.

I suggest that you point to the network team security policy as the policy for "tor (the network daemon)", and note that other projects may have their own policies.

comment:16 in reply to:  15 Changed 7 months ago by teor

Replying to traumschule:

What do you think about https://github.com/torproject/webwml/pull/39/commits/12b283eecd4f467bb05171f3c0616e99051d4dab

I'm not sure.

If you link to a wiki, then we can add new policies easily, but the content is hard to trust.
If you get the security.txt file signed, then it's harder to update the links.

Please check the links, they have typos.
And please be consistent with your onion links: either provide onion links for all links, or no links.

Note: See TracTickets for help on using tickets.