-- Leo's gemini proxy
-- Connecting to gemi.dev:1965...
-- Connected
-- Sending request
-- Meta line: 20 text/gemini
2022-02-16 | #security #kennedy | @Acidus
This is not the post where I where discuss how terrifyingly easy it is to find dozens of vulnerable capsules where you can read nearly any private file you would like from them, all thanks to the directory transversal security vulnerabilities that have been going around.
Instead, this is the post where I discuss the challenge of trying to find contact information for dozens of vulnerable capsule owners.
As I mentioned in my initial post about a directory transversal vulnerability:
>I am confident this issue will be resolved and I believe it can serve as a catalyst to discuss many positive things such as: A standardized way to find contact information for the owner of a capsule.
That's because as soon as I saw how widespread some of the vulnerabilities were, I knew I would need to proactively contact some of these capsule owners about problem so they could fix it. Once upon a time the way to get contact info for a domain was to use WHOIS.
Alas, real contact information via WHOIS is a thing of the past thanks to gross scammy and spammy actors. So instead, to find contact information for ~50 different capsules I had to:
Visit each capsule's home page, looking for contact info
Browse deeper into the capsule's content. Is there an "about page? do they sign the bottom of their gemlog posts? Do they specify their email address using instructions like "acidus FOO example BAR com (replace FOO with @ and BAR with a dot)"?
Check if the hostname also has an HTTP or HTTPS site, and look for contact info on that
For capsules in a language that I cannot read, do all of the above, but with lots of copy+pasting into a translation services
The result of this ad hoc approach sucked for 2 reasons:
It took several hours
It was fairly boring (though I did discover some cool capsules)
I was only able to find email addresses for 40% of the vulnerable capsules
The good news is this effort has somewhat worked. Within a few hours of emailing people today, I got 8 responses from capsule owners who had already updated their capsule software. Now if only in the future there was an easier way to find and contact people! Luckily, there is already a standard for specifying a point of contact for security issues: security.txt
Security.txt allows you to defines who to contact for security-related matters. It is geared towards websites, but can be used for gemini or even gopher as well.
To start, you put a UTF-8 text file at a well known location:
gemini://gemi.dev/.well-known/security.txt
The file is a simple list of "name: value" fields. The most basic security.txt looks like this:
# who should be contacted about security problems? Contact: mailto:acidus@gemi.dev
That's it. While There are a lot of additional fields, many are geared towards large commercial organizations, with options to specify security disclosure policies, bug bounties systems, etc. A few fields of security.txt may be useful for capsules, such as:
The preferred language to use to communicate
Multiple "Contact" fields, which can be any kind of URI, not just mailto:
Encryption options
Sadly, the majority of capsules that were vulnerable 2 weeks ago are still vulnerable today. Best case, all 40% of capsule that I could email fix it, and maybe another 20-30% find out the problems via Antenna or Station in the next few weeks fix them as well. That still leaves about 30% of the capsules vulnerable.
If instead these capsules had had a security.txt file, the same script I wrote to scan Gemini space for these vulnerable capsules could have also automatically alerted them.
I understand that for some capsule owners, not have public contact information is a feature and not a bug. I also understand that many capsule owners don't want some hacker scanning their capsules, and they certainly don't want to be contacted about it. If you don't want that, I disagree, but understand. I respectfully suggest you take other steps protect yourself, like subscripting to mail listing or feeds for the software you use so you can watch for security updates.
For the rest of you, I sincerely ask you to include contact information in a security.txt file, so good hearted people can contact you if they discover a security problem.
Currently, only 5 capsules in all of Gemini space have a security.txt file. I added a feature to my Gemini search engine Kennedy, which shows known capsules using security.txt:
Looking at those is a great way to see what people are doing, and to copy them. It also allows us to track the adoption of security.txt by the Gemini community.
(Also, give Kennedy a try and help me make it a better search engine!)
-- Response ended
-- Page fetched on Sat May 11 08:22:27 2024
