[Mailman-Developers] Possible yahoogroups problem.
Nigel Metheringham
Nigel.Metheringham at dev.intechnology.co.uk
Wed Jul 9 10:16:42 EDT 2003
On Tue, 2003-07-08 at 17:53, Barry Warsaw wrote:
> On Tue, 2003-07-08 at 11:00, Nigel Metheringham wrote:
>
> > One thing that could be considered to protect ourselves against such
> > attacks if there was a way of reducing the complexity to reasonable
> > levels, would be to drop pending subscription requests after a couple
> > (think of an appropriate number) of failed cookie cracking attempts.
> > That of course transforms this into a denial of service attack :-(
>
> Oh whoops, I just realized that if you get the cookie wrong, you have no
> idea which subscription request they intended to confirm. sha has 160
> bits of data in it and if you're off by one, you don't get a hit and we
> error out. But there's no way to match the sha hexdigest that you got
> in the confirmation attempt with one in the database of pending
> subscription requests.
Of course - I had been thinking that you are confirming a subscription
address so the sender address is used as a key, but that is not how it
works.
You can't reasonably shut off all confirmations if you get a number of
failed confirmations, and expecting the sender address to be useful is
not too good either so I guess there is no real way to do this.
Nigel.
--
Nigel Metheringham <Nigel.Metheringham at dev.intechnology.co.uk>
...at home... they call this a day off :-)
More information about the Mailman-Developers
mailing list