New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add privacy pass/trusttoken hidden captcha support to rate limit signups #3518
Comments
What about to turn this into RFC 🤔 ? |
It's my fault this isn't an RFC--it seemed too small of a feature to me. Summarized all the way down, here is the idea: Today, sign up and sign in have the same rate limits as every other action on the site. As more attackers create accounts to upload malware gems, we should set lower rate limits for guessing passwords and for creating new accounts. I propose that we fight bot and malicious traffic with minimal user impact by combining rate limits with captchas (and with PrivacyPass). In short, you can sign up (or log in), as today with no captcha. But to sign up many accounts from the same IP, or try several passwords for an account, you need to pass a captcha for each attempt. If available, we accept PrivacyPass to skip the captcha, since that is equivalent "human verification", to further reduce user impact. |
Is there any interaction with our WebAuthn work? |
As far as I understand the proposal there's no interaction between the two just an added layer of security up front (@indirect correct me if I'm wrong) |
I understand that rationale, but often users of a system may still be impacted negatively. For instance, in captchas I often guess incorrectly (in particular when I have to analyse a fragmented picture and miss on some tiles). I am still motivated to try and solve something, but if I fail, say, 2 or 3 times then I just vanish and don't come back to such websites. It's simply not worth the hassle and additional time investment compared to a system without such anti-user feature. |
Did you catch the part where we won't even show anyone captchas unless they are trying to sign up multiple times from the same IP address within a single brief window? We don't want to solve captchas any more than you do. |
Initial request
Captcha fall back
Login a bunch of times or sign up a bunch of times, NEVER the first time.
Rate limiting and rate tracking. Rails app. Rack-attack maybe?
Approved product design
Overview of Purpose
Rubygems.org wants to reduce (and prevent if possible) bot activity around signup and login. Captchas are a common way to reduce activity, but can also be annoying and repetitive. We’d like to use Privacy Pass to get the same security with a smoother user experience then Captcha, although it doesn’t completely replace Captchas.
Current State
We currently throttle login attempts to 100 per 10 minutes. We also limit signup requests by IP address to 100 per per 10 minutes. Those are generic limits, which also apply to most actions taken on the website, and we want to reduce the rate limit on logins and signups to something below those current limits, as well as allowing those limits to be adjusted separately. We also want to add a captcha to be solved if you want to sign up for more than one account.
Desired State
Implement protection on the Login and Signup pages as a cascading fallback from Privacy Pass -> Regular Captcha -> Hard Rate Limit.
Successful logins do not increment the login attempt counter, only failures do.
Prerequisite Questions
Acceptance Criteria
Relevant Links
Code Walkthrough of how to implement privacy pass on a Server
SImplified Explanation of Privacy Pass and Google’s API for it
IETF Proposal (don’t feel like you have to read this unless these kind of proposals are helpful to you to getting your bearings on a project, or you just enjoy reading internet protocol proposals. It’s dense and bureaucratic..)
Relevant Code
Current Rate Limiting:
Designs
Flows
Flow 1: Signup
Start: Navigates to Signup Page
1.a Try Privacy Pass challenge
1.b Passes Privacy Pass?
1.c Passess Captcha?
1.d Hard rate limit exceeded?
Flow 2: Login
Start: Navigates to Login Page
1.a Try Privacy Pass challenge
1.b Passes Privacy Pass?
1.c Passess Captcha?
The text was updated successfully, but these errors were encountered: