| 1 |
On Fri, 22 May 2020 21:58:54 +0200 |
| 2 |
Michał Górny <mgorny@g.o> wrote: |
| 3 |
|
| 4 |
> Let's put it like this. This thing starts working. Package X is |
| 5 |
> broken, and we see that almost nobody is using it. We remove that |
| 6 |
> package. Now somebody is angry. He submits a lot of fake data to |
| 7 |
> render the service useless so that we don't make any future decisions |
| 8 |
> based on it. |
| 9 |
|
| 10 |
Sure, and I agree that's a risk. But its not the "random users from the |
| 11 |
internet fill your inbox with shallow promises of free money" sort of |
| 12 |
risk, that's typically implied by "spam" ;). |
| 13 |
|
| 14 |
The set of potential attackers seems much smaller in our case, and are |
| 15 |
expressly likely to be actual consumers of Gentoo. |
| 16 |
|
| 17 |
This attacker type seems to be the sort that mitigates well with: |
| 18 |
|
| 19 |
- Make it so that end users can't forge custom IDs and can only be |
| 20 |
handed out by the server (but the ID doesn't actually add any |
| 21 |
tracking, its just a chunk of randomness with a signature that |
| 22 |
verifies its legitimacy) |
| 23 |
|
| 24 |
- Make ID generation expensive. |
| 25 |
|
| 26 |
- Limit submissions per ID the same way we do now. |
| 27 |
|
| 28 |
That way it doesn't harm typical users beyond their --setup, but hurts |
| 29 |
would be attackers. |
| 30 |
|
| 31 |
If we get under attack, we can just suspend ID generation services, or |
| 32 |
rate limit ID generation. |
| 33 |
|
| 34 |
(And we can encode data in the ID about when it was generated, and the |
| 35 |
strength of the challenge of the generation, and then block submissions |
| 36 |
based on criteria when problems occur) |
| 37 |
|
| 38 |
This means we don't need to keep track of what ID's are "valid", server |
| 39 |
side, crypto bits do all the leg work. |
| 40 |
|
| 41 |
Even if our private key doing the signing gets compromised, we can |
| 42 |
change it, which triggers all users to need to re-id, and flush old |
| 43 |
data. |
Archives