security.txt Revisited: Analysis of Prevalence and Conformity in 2022-Reference-Cited by-同舟云学术

security.txt Revisited: Analysis of Prevalence and Conformity in 2022

Published:2023-09-30 Issue:3 Volume:4 Page:1-17
ISSN:2692-1626
Container-title:Digital Threats: Research and Practice
language:en
Short-container-title:Digital Threats

Author:

Hilbig Tobias¹^ORCID,Geras Thomas¹^ORCID,Kupris Erwin¹^ORCID,Schreck Thomas¹^ORCID

Affiliation:

1. HM Munich University of Applied Sciences, Germany

Abstract

Determining the correct contact person for a particular system or organization is challenging in today’s Internet architecture. However, there are various stakeholders who will need to have such information, such as national security teams, security researchers, or Internet service providers, among others. To address this problem, RFC 9116, or better known as “security.txt,” was developed. If implemented correctly, then it can help these stakeholders in finding contact information to be used to notify an organization of any security issues. Further, there is another proposal called “dnssecuritytxt,” which uses DNS records for this purpose. In this research article, we evaluated the prevalence of websites that have implemented security.txt and their conformity with the standard. Through a longitudinal analysis of the top one million websites, we investigated the adoption and usage of this standard among organizations. Our results show that the overall adoption of security.txt remains low, especially among less popular websites. To drive its acceptance among organizations, security researchers, and developers, we derived several recommendations, including partnerships with vendors of browsers and content management systems.

Publisher

Association for Computing Machinery (ACM)

Subject

Computer Networks and Communications,Computer Science Applications,Hardware and Architecture,Safety Research,Information Systems,Software

Link

https://dl.acm.org/doi/pdf/10.1145/3609234

Reference24 articles.

1. Tim Berners-Lee, Roy T. Fielding, and Larry Masinter. 2005. Uniform Resource Identifier (URI): Generic Syntax. STD 66. RFC Editor. Retrieved from http://www.rfc-editor.org/rfc/rfc3986.txt.

2. The Internet Standards Process -- Revision 3

3. John Carroll and Casey Ellis. 2021. dnssecuritytxt: A standard allowing organizations to nominate security contact points and policies via DNS TXT records. Retrieved from https://dnssecuritytxt.org/

4. Catalin Cimpanu. 2017. Bleeping Computer: Security.txt Standard Proposed Similar to Robots.txt. Retrieved from https://www.bleepingcomputer.com/news/security/security-txt-standard-proposed-similar-to-robots-txt/

5. Mailbox Names for Common Services, Roles and Functions