1 |
Hi Michał, |
2 |
|
3 |
On 2020/05/21 13:02, Michał Górny wrote: |
4 |
> On Thu, 2020-05-21 at 12:45 +0200, Jaco Kroon wrote: |
5 |
>> Even for v4, as an attacker ... well, as I'm sitting here right now I've |
6 |
>> got direct access to almost a /20 (4096 addresses). I know a number of |
7 |
>> people with larger scopes than that. Use bot-nets and the scope goes up |
8 |
>> even more. |
9 |
> See how unfair the world is! You are filling your bathtub with IP |
10 |
> addresses, and my ISP has taken mine only recently. |
11 |
I must admit, I work for an ISP :$ |
12 |
>>> Option 3: explicit CAPTCHA |
13 |
>>> ========================== |
14 |
>>> A traditional way of dealing with spam -- require every new system |
15 |
>>> identifier to be confirmed by solving a CAPTCHA (or a few identifiers |
16 |
>>> for one CAPTCHA). |
17 |
>>> |
18 |
>>> The advantage of this method is that it requires a real human work |
19 |
>>> to be |
20 |
>>> performed, effectively limiting the ability to submit spam. |
21 |
>>> |
22 |
>> Yea. One would think. CAPTCHAs are massively intrusive and in my |
23 |
>> opinion more effort than they're worth. |
24 |
>> |
25 |
>> This may be beneficial to *generate* a token. In other words - when |
26 |
>> generating a token, that token needs to be registered by way of capthca. |
27 |
>> |
28 |
>>> Other ideas |
29 |
>>> =========== |
30 |
>>> Do you have any other ideas on how we could resolve this? |
31 |
>>> |
32 |
>> Generated token + hardware based hash. |
33 |
> How are you going to verify that the hardware-based hash is real, |
34 |
> and not just a random value created to circumvent the protection? |
35 |
|
36 |
So the generation of the hash is more to validate that it's still on the |
37 |
same installation (ie, not a cloned token). Sorry if that wasn't clear, |
38 |
so trying to solve two possible problems in one go. |
39 |
|
40 |
> |
41 |
>> Rate limit the combination to 1/day. |
42 |
>> |
43 |
>> Don't use included results until it's been kept up to date for a minimum |
44 |
>> period. Say updated at least 20 times 30 days. |
45 |
> For privacy reasons, we don't correlate the results. So this is |
46 |
> impossible to implement. |
47 |
|
48 |
Ok, but a token cannot (unless we issue it based on an email based |
49 |
account) be linked back to a specific user, so does it matter if we |
50 |
associate uploads with a token? |
51 |
|
52 |
>> The downside here is that many machines are not powered up at least once |
53 |
>> a day to be able to perform that initial submission sequence. So |
54 |
>> perhaps it's a bit stringent. |
55 |
> Exactly. Even once a week is a bit risky but once a day is too narrow |
56 |
> a period. |
57 |
> |
58 |
> To some degree, we could decide we don't care about exact numbers |
59 |
> as much as some degree of weighed proportions. This would mean that, |
60 |
> say, people who submit daily get the count of 7, at the loss of people |
61 |
> who don't run their machines that much. It would effectively put more |
62 |
> emphasis on more active users. It's debatable whether this is desirable |
63 |
> or not. |
64 |
Decaying averages. Simple to implement, don't need all historic data. |
65 |
> |
66 |
> Both the token and hardware hash can of course be tainted and is under |
67 |
>> "attacker control". |
68 |
> Exactly. So it really looks like exercise for the sake of exercise. |
69 |
|
70 |
Unless tokens are *issued* as per the rest of my email you snipped |
71 |
away. Wherein I proposed an issuing of both anonymous and non-anonymous |
72 |
tokens. |
73 |
|
74 |
Kind Regards, |
75 |
Jaco |