Comments (8)
mdmfernandes
commented on September 23, 2024
1
With that in mind, my suggestion for the page is
# If you would like to report a security issue, please use the contact information below.
Contact: mailto:[email protected]
# Our security policy
Policy: https://github.com/reach4help/reach4help/blob/master/SECURITY.md
# You can contribute to our project, itβs open-source
Contribute: https://github.com/reach4help/info
Let me know what you think @s0
from reach4help.
s0
commented on September 23, 2024
1
that looks good to me, feel free to open a PR to add it, the folder to add it to would be: https://github.com/reach4help/reach4help/tree/master/site/static
from reach4help.
mdmfernandes
commented on September 23, 2024
It would be nice to create a GPG key associated with that email address, so people can send us encrypted emails, and we can sign the emails sent from that address (if required, we can extend this to other email alias). We can then put the fingerprint on the security.txt page and upload the public key to a keyserver or host it on the website.
Some issues to consider:
- Depending on the email provider, we need to use 3rd-party apps or browser extensions to be able to send/receive encrypted emails. For example, Gmail does not support GPG, but we can use FlowCrypt or Mailvelope, or use Thunderbird together with enigmail.
from reach4help.
s0
commented on September 23, 2024
I'm actually more inclined to not suggest the use of GPG for incoming emails, and rely on decent SMTP TLS infra for emails, and our own auth configuration in gsuite.
from reach4help.
mdmfernandes
commented on September 23, 2024
The advantage of using GPG is that E2E encryption can be used in emails sent to us, and also allows us to sign emails (e.g. to avoid tampering) sent to others. While TLS encrypts the data in transit, Google (and its affiliates) still have access to the content at rest.
GPG can be useful for situations where someone wants to send us an email with sensitive information (e.g. they found sensitive and/or personal data exposed on the app).
However, since GMAIL/GSuite does not have "native" integration of GPG keys, we need to do some workarounds as I explained in my previous comment. With that in mind, we can ignore GPG for the MVP, and add it later if we think it is necessary.
from reach4help.
s0
commented on September 23, 2024
Right, my thinking is that it's more of a trade-off of ease-of-use vs E2E security.
I think E2E encryption has it's uses, particularly in private communication, activism, journalism, etc... and I'm usually a big advocate of it, used to take part in key-signing parties etc...! However I also am very aware of its limitations.
Encouraging / requiring that researchers report to us using GPG may impact how fast we're able to respond to security disclosures, particularly if any of the on-call team are not as familiar with GPG. It also means that we need to start doing GPG key management on-top of everything else.
As far as encrypting-at-rest on google's servers, I don't think we have a threat model that gives us cause to worry about that. Even if people need to send us sensitive information, it's not any more sensitive than the information that google already deals with and has both legal and technical safeguards in place to protect.
As far as authenticity goes, i feel i'd much rather rely on DKIM and google's auth provisioning mechanisms than try to start also managing GPG keys around the security team.
With all that being said, even if we did list a GPG key, I have a feeling that the majority of the emails we get will not be signed or encrypted. If my experience working with a security research team and being involved in the security disclosure process for a number of vulnerabilities has taught me anything, it's that reporters find any additional work needed to report a vulnerability very frustrating, and often ignore requests such as using GPG (given it's not an easy to use piece of software), or just end up not reporting at all!
So all-in-all, i think it would be a lot of additional work for very little gain.
Those are my thoughts, though I'm happy to defer to @mdeous to make a call on this.
from reach4help.
s0
commented on September 23, 2024
In other words, it's more important that we respond to an email as rapidly as possible than ensure that Google can't see the contents of an email =)
from reach4help.
mdmfernandes
commented on September 23, 2024
Encouraging / requiring that researchers report to us using GPG may impact how fast we're able to respond to security disclosures, particularly if any of the on-call team are not as familiar with GPG. It also means that we need to start doing GPG key management on-top of everything else.
I agree that it can be a bit cumbersome to set up a GPG key, and because of that I agree that we can skip the GPG issue for the MVP, as I said before. However after being configured, it's a pretty transparent process for who is responsible for that email alias.
We will not encourage or require researchers to use it, it's just an extra option that they have if they really want to encrypt their emails content.
As far as encrypting-at-rest on google's servers, I don't think we have a threat model that gives us cause to worry about that. Even if people need to send us sensitive information, it's not any more sensitive than the information that google already deals with and has both legal and technical safeguards in place to protect.
I kinda disagree with this one, because it's more a privacy issue that actually to secure the information, because that is ensured during transport with TLS. Of course Google is "secure" but their fame regarding users' privacy is not the best π
As far as authenticity goes, i feel i'd much rather rely on DKIM and google's auth provisioning mechanisms than try to start also managing GPG keys around the security team.
You are mixing up different things. One thing is DKIM (which obviously must be set and properly configured, together with SPF and DMARC), which ensures that there's no spoofing regarding the email server, i.e. that the email really came from the email server specified in the headers (gmail in this case). It's good to prevent spam, phishing, etc.
GPG signing is all about the message content validation, i.e. it ensures that the content that is on the received email was written by the person that actually sent it.
With all that being said, even if we did list a GPG key, I have a feeling that the majority of the emails we get will not be signed or encrypted.
I totally agree. However researchers that have GPG configured on their email will probably use it. Also there are some email providers that use GPG by default, like Protonmail.
So all-in-all, i think it would be a lot of additional work for very little gain.
I agree that for this stage it's not a mandatory thing. I mentioned it because I think it can be important in the future, and also because it's suggested by security.txt. And ofc because I personally use it π .
from reach4help.
Related Issues (20)
- [AUTH.1] Verify via email or text unless Program Admin is dong entry
- [AUTH.2] Verify via email or text unless Program Admin is dong entry
- [REQ.5] Create a second request at a later point without having to re-enter contact info - either use verification via text / email or account
- [REQ.6] Create a repeating request
- Map filter bug: 'No Options' is not translated
- Improve performance by querying only those markers in view port
- REFACTOR MAP: includeHidden UI and code logic confusing
- [MAP] UBlock Origin Blocking Map Markers due to CORS
- [MAP EPIC] Migrate to use both Algolia (search engine) and Airtable (data input tool)
- [MAP] Refactor data model between Algolia and Airtable
- [MAP] Push transformed data from #1723 to Airtable
- Write a cloud function/realtime script to keep both databases synchronized
- [MAP] Extract location data using the Google Maps API from each marker
- [MAP] Parse out and properly formatting phone numbers and contact info
- reach4help landing page: add button for map and change Volunteer and Get Help to point to a Google Doc HOT 2
- Map may not center for users with ad blocker (geolocation)
- TECHNICAL MAP: Fix warnings about marker.getPosition
- MAP: Auto close search HOT 1
- MAP: Modify search box UI, remove organization type
- [MAP DATA] Parse and import Ukraine data on shelters
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from reach4help.