For submitting information to security@mediawiki.org a public key is missing.
I suggest the creation of such a key and the publication on the key servers and of key and fingerprint on https://www.mediawiki.org/wiki/Manual:Security .
Version: unspecified
Severity: enhancement
/me notes these aren't exactly state secrets. I highly doubt we have to worry about someone intercepting emails to learn about an XSS attack on Wikipedia. That said , it doesn't really hurt anything to have such keys available for the paranoid.
I say: one can never know what will happen (see FLAME). I did not say that all mails must be sent encrypted. I just proposed to have a public key available in case that someone prefers to sent their mail encrypted.
Well if someone with the resources to create something on the scale of the flame malware decides to start hating on us, we probably have larger problems ;)
Nonetheless, it certainly doesn't hurt to have such a key available.
I think it would be good to have a public key for this use. It's a pretty common practice, and almost no cost to us. Just need someone to generate the keys, distribute them, and post the public part in a few places.
Plus key should probably be on http://www.mediawiki.org/wiki/Security .
For reference, https://www.mozilla.org/security/#pgpkey
This would pretty much require a shared private key by everyone on the security@ mailing list, so we should also post disclaimers that it's only for encryption, and shouldn't be relied on for signatures.
Should someone generate a key and distribute it?
(In reply to comment #8)
This would pretty much require a shared private key by everyone on the
security@ mailing list, so we should also post disclaimers that it's only for
encryption, and shouldn't be relied on for signatures.
You can do this (1, 2, 1+2):
You can give a longer meaningful and describing name and/or comment, like
"Wikimedia/MediaWiki/Wikipedia Information Security Team - read by several persons <security@mediawiki.org>"
, and you could enumerate all team members by their name, in the comment field.
You can sign the "community key" by every team member, so that it is clear, who is member.
try gpg --gen-key to generate a test key, notice the optional comment field!
Sorry: I tried, but I couldn't find the maximum key comment field length.
The uploading to the keyservers is optional, the most important thing is that you publish the key and the fingerprint on a safe mediawiki site.
Chris, I've tentatively assigned this to you, let operations know if you need support
The people having access to this key will have to match the people on the security@ mail alias. That includes "root" (alias for ops) and a list of other people.
I received a private email by a user who would like to report a security issue to Wikimedia. I pointed to https://www.mediawiki.org/wiki/Security which offers unencrypted email and creating a Phabricator task. As the user prefers email I will quote him:
Can you send me your public key? Why is that not available to create a secure relation to Wikipedia by default. Where I am everything is censored in the media, so it would be easier to submit via a PGP message.
Any recommendations how to proceed / what to answer?
@Krenair GPG will ensure that any comunication is reserved for the eyes of the intended people much better than ACLs on phabricator.
I think this is a serious and valid request.
@Aklapper: it might be a good idea to put this person in contact with @csteipp directly, or with someone in the ops team if the matter is not in mediawiki. Our GPG keys are available on the keyservers and most of them have been signed by other team members too.
@Aklapper for now, until this ticket is resolved, i'd suggest to tell the user to:
gpg --search-keys csteipp@wikimedia.org
and use that key to mail it to Chris, as Joe said.
Adding Security-Team. What do you guys think about such a key nowadays? Ticket is from 2012 after all.
Speaking just for myself and not the team. I think such a thing makes sense. Not exactly what I'd call a high priority concern, but some reporters like being paranoid, and we should do everything we can to make people feel comfortable reporting security issues to us.
@Dzahn: I myself don't plan to, as I'm not a fan of GPG. Anyone who has good arguments why this task should be prioritized could contact the Security folks.
On a general note, I hadn't known that https://www.mediawiki.org/keys/ exists...
Fair enough. Though making this task shoud have been identical to "contacting the security folks" and it's been over a decade.. So might as well decline it.
Additionally, the question is who actually reads security@mediawiki because it's going to OTRS (Znuny/VRTS).
security@mediawiki.org router = otrs, transport = remote_smtp
I mean.. scrolling up in ticket history shows that more than one _previous_ security person and an SRE said this would be a good idea. But maybe times have changed?
I think the current incarnation of the Security-Team would encourage people to follow the guidelines at https://www.mediawiki.org/wiki/Reporting_security_bugs for reporting any security-related issues. So, basically security@ and the Phab form, with likely a preference for the latter, since it should be fairly secure by default.
No clue, as I'm pretty sure nobody on the Security-Team has access to that address or OTRS.
In theory, that's a good idea. In practice, I'm not sure it's worthwhile, for a few reasons:
I suppose it might be low-friction to make a pubkey available for security@ but I'm not sure we should even try to enforce its usage in any way.
Alright, thanks for the details! I just meant besides GPG now, just if we should stop sending those emails to VRTS. But sounds like we should just keep the status quo then.