Stop requiring ownership verification.
TheReverend403 opened this issue ยท 4 comments
There is absolutely no legitimate reason you should require somebody to own a domain to get it removed from the list. If I want to go out of my way to verify a shit load of domains and provide that list to you, thus making everyone's lives easier, why can't I? You're making this far more complicated than it needs to be for everyone involved and I can't understand why other than that you seem to be stuck in some "keybase mindset" where verification has to happen for some arbitrary reason. The reason keybase requires verification is because you can make destructive changes with keybase and claim to be someone you are not, you cannot with this list.The absolute worst case scenario here is that I do somebody else's work for them.
You're also opening up a whole can of privacy issues by requiring verification of ownership in that not everybody necessarily wants to be publicly associated with a domain. Perhaps the owner of (for example) nigge.rs does not want that domain linked publicly to his professional GitHub account, what gives you the right to force that choice for him?
Seriously, please explain to me what negative thing you think is going to happen if someone other than the site owner gets a domain removed from this list.
It's for dynamic/user generated content. We can't verify that the site was using CF as a proxy during the affected time period, so we're taking the owner's word for it - provable by mail, nonce, or keybase.
We will remove static sites without verification.
You don't have to be the owner of a site to get it removed, even if it has logins or other sensitive information - you'll just have to get the owner to publish a post/mail stating that it hasn't used CF as a proxy during the affected time period.
So that if users complain here that information X is now leaked even though it was removed from the list, we can show them that the site owner said they were not affected.
@TheReverend403, as I mention in the issue template, verification is for a paper trail only, so that owners of major sites can have their domains removed from the list and be held accountable in case leaked data is found later on. We're not accepting, nor do we need verification for smaller sites that don't collect user data. I'm also taking removal requests via private twitter DMs for sites that don't want to submit github issues for various reasons (privacy included), although I admit, this is not an ideal process (see #215).
Here is an example of a negative hypothetical I'm trying to avoid:
- random person submits a requests to remove bignamebank.com, it's accidentally approved (there are hundreds of PRs, I'm human and make mistakes)
- no one rotates sessions for bignamebank.com due to perceived safety
- a few days later, 2 session tokens are found in search caches, leading to fraudulent $ transfers and stolen money
- account owners blame me (this list is being used as a source for tons of "should I reset my password?" tools)
- random person is nowhere to be found, and I get blamed for allowing the bank to be removed when they were actually affected
What happens when we have verification:
- employee of bignamebank.com requests removal claiming they are not affected, it gets approved
- session tokens are found, fraudulent transfers are made
- I get blamed for telling people bignamebank.com is safe
- I point them to verified pull request by employee of bignamebank.com
- bignamebank.com gets blamed for wrongly claiming they were not affected, I'm off the hook
No longer accepting ownership verification, or any removal requests for that matter.