Think about potential denial of service attacks and implement mitigations #6
Labels
Comments
|
We should probably implement delivery tokens as described here. Those would allow us to stop spam at the front door, but it does potentially complicate the out-of-band contact exchange. Specifically, the recipient has to authorize the sender as a contact before the sender can send a message to them. We need to think of the typical contact exchange of:
|
|
Also might want to limit number of attachment upload authorizations per IP. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Tassis is a fairly open server. It allows anyone to connect and register key distribution information. The only requirement for posting keys on behalf of a device is that the device authenticates as being itself. There's no limit on people creating arbitrary devices and registering them. Also, anyone can connect anonymously and retrieve key distribution information (which is a destructive operation that uses up one time preKeys) and anyone can send messages (which is an operation that takes up processing, network and storage capacity, and can flood targets of ).
These various mechanisms present opportunities for abuse. We need to implement rate limiting or other mitigations to limit the harm of that abuse.
Signal's Sealed Sender implementation takes advantage of their profile keys to limit damage to individual recipients in a way that's still anonymous. We don't have a profile keys mechanism, but I think we could do something similar to enforce a strict rate limit on messages from unknown contacts that we then lift for messages from authorized contacts. The trick is doing it in a way that preserves the privacy of senders and keeps us from having to know the recipients' contacts.
The text was updated successfully, but these errors were encountered: