Skip to main content

Case for xx Network chat link in security.txt

· 3 min read
ArmchairAncap
ArmchairAncap

security.txt

The Dutch Digital Trust Center mandates that all government sites must have a security files under the .well-known directory located at the root of Web site.

Use cases:

  • Go-to place to get information on how to report vulnerabilities affecting the site or organization
  • Improve the speed of getting in touch

Example

https://www.ncsc.nl/.well-known/security.txt captured on Jun 1, 2023.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

# Domeinen van de Rijksoverheid kunnen met een 302 redirect verwijzen naar
# het centrale bestand op https://www.ncsc.nl/.well-known/security.txt
# omdat het NCSC het centrale meldpunt is voor kwetsbaarheden en incidenten
# voor de Rijksoverheid.
#
# Dutch central government domains can redirect to the central file located
# at https://www.ncsc.nl/.well-known/security.txt with a 302 redirect,
# because NCSC-NL is the central point of contact for vulnerabilities and
# incidents for the Dutch central government.

Expires: 2024-01-31T22:59:00.000Z
Canonical: https://www.ncsc.nl/.well-known/security.txt

Policy: https://www.ncsc.nl/contact/kwetsbaarheid-melden
Policy: https://english.ncsc.nl/contact/reporting-a-vulnerability-cvd

Contact: https://www.ncsc.nl/contact/kwetsbaarheid-melden
Contact: https://english.ncsc.nl/contact/reporting-a-vulnerability-cvd
Contact: mailto:security@ncsc.nl
Encryption: https://www.ncsc.nl/contact/pgp-key
Preferred-Languages: nl, en

Acknowledgments: https://www.ncsc.nl/wall-of-fame
Hiring: https://www.werkenvoornederland.nl

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.4.2 (Build 1298)
Charset: utf-8

wsDVAwUBY+9c0P4Vd0fJc7lbAQpUmQwAwZ1vWyI1VKBChsciufRcvxy5zzMZMx6v
YjD5CXuDV4GL+tRl7wClnQO023e3ZChTH69y7O3veS+5/zNVUvpyqJfS8pNzG0pA
B4vea3fQ41t5UpCVYvPopIFiT1oeQJA9w4NqBD2+2jW5lS5L8k9xz192gWJvhxq8
mTukJXYDiJLzxKbUMHEG2GNaMeoRj5Pvgr8buzQELP0VZHfzF05Hr6NOoWvS6SRX
KGW6rgg6fEUPcMTjBqn6gL/w82FXwrh93AmYkP/sBWP4It3NpbiNuazc5iynhhih
+ZlfzsFV6agF4MZR0IQZ6X4jsCxKFrPIWW51/7W+PIDkqy6za/bDjDeiinid0HOC
2rro6N9FXSyxHz9nteMppd+YMTCt+Z67HONsssR+7ojxORGOs0rTcjUucaVikFJQ
wAls9p+vuIzFRViQaXe3Nndspr1cCIu4z3ZfdkcWREQP7acOjNgbmeQOlH4jnYWq
lNVMWzOncidAWM0nXcuYTjZagRAagthF
=yC4A
-----END PGP SIGNATURE-----

Use case for Haven

  • security.txt is PGP-signed to confirm that it was signed by the key owner and that's fine. But in reality most people hate to use it to compose emails or messages
  • it is time-consuming for the recipient to download every sender's key which also delays reading encrypted messages
  • Haven gives the reporter anonymity, both parties enjoy encryption and privacy, and can interact in real time (and still move to email if they so choose)
  • Haven uses quantum-resistant encryption (I haven't checked, but it should be superior to PGP)

Haven public chat link can be added to security.txt. Example:

Chat: https://.............. (security vulnerabilities only)
Contact: email - mailto:.........; chat - send DM to `aCertainTestifier`
Encryption: https://www..../contact/pgp-key

Because public chat could have several permanently present strangers in it, direct messages (DM) should be sent to contact person.

What are the weaknesses of using Haven here?

The way I see it, the biggest is that xx Network keeps messages for 21 days and then they disappear. To prevent the situation where nothing happens for three weeks and messages disappear, the reporting person should move on to email if no response is received within hours.

With time, spam may become a problem for Haven. But it is already a problem for email now, so Haven is not worse.

Conclusion

Haven uses xx Network to store encrypted messages and Haven users can connect to xx Network from any (trusted) application server - whether it's container on own desktop client, the official Haven instance, etc.

Compared to an email or Web service as means of communication, Haven is less likely to be affected by a vulnerability at the same time as your corporate email or Web service, so it is a cost-free, "out-of-band" solution that's more resistant to unplanned concurrent downtime or DDoS.

Haven gives you zero maintenance, quantum-resistant encryption, superior privacy (compared to email and PGP), and far more convenience.