Hello, welcome to the Friday, August 28, 2020 edition of the Sandtonet Storm Center's

Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Good reminder today by Jan about security.com. This is a text file that you should have on your web server in order to give contact information to a researcher who finds a security vulnerability.

Either in your web application, of course, that's the obvious reason, but also in your organization at large.

Couple side notes on this.

First of all, this file is found in the dot well-known directory.

Again, something that's seriously known, but instead of littering essentially the document

route with all of these files.

Lately, these files have been moved into the dot well-known

directory secondly it may be a good idea to take a look at who is accessing that file

because a researcher may take a look at the secure text file but then not necessarily report the vulnerability, sort of have

second thoughts as to whether or not to do so. And yes, of course, there is a little bit of

reconnaissance value in this file as well that a bad guy may attempt to exploit. But in the end,

it's all about helping the bad guys to get in touch with you and report

a problem.

And from my own experience, I can tell you this makes a huge difference.

I often haven't gotten around to really track down security contacts if it's just way

too complex to find them.

At this point, security.comtext is not yet sort of a complete finalized RFC,

but it's a draft and it's easy enough to implement that there is really very little downside to it.

Now, talking about security features that backfire and cause problems,

apparently Google Chrome's DNS hijacking feature is causing problems for the root DNS infrastructure.

...