Skip to content
This repository has been archived by the owner on May 22, 2021. It is now read-only.

Integrate with the IP reputation service #91

Closed
ghost opened this issue Jun 13, 2017 · 16 comments
Closed

Integrate with the IP reputation service #91

ghost opened this issue Jun 13, 2017 · 16 comments
Assignees
Labels

Comments

@ghost
Copy link

ghost commented Jun 13, 2017

@jvehent can you give us more details on how to do this? (links to docs?)

@ghost ghost added the security label Jun 13, 2017
@jvehent
Copy link

jvehent commented Jun 13, 2017

@g-k is the reputation man.

@g-k
Copy link

g-k commented Jun 14, 2017

Not sure what violations/abuse to expect, but we'd want to:

  • define some violation types (e.g. multiple uploads from an IP that virustotal flags as malware)
  • generate reputation service credentials per the "Adding a new service" section of https://mana.mozilla.org/wiki/x/9yuxAw
  • integrate the js-client-library
  • send IPs and violations to the reputation service
  • check if an IP is reputable before certain actions like accepting an upload

I can write patches for the integration.

@dannycoates dannycoates added this to the Calico Cat milestone Jun 20, 2017
@abhinadduri abhinadduri self-assigned this Jun 21, 2017
@abhinadduri
Copy link
Collaborator

@g-k Is there a mozilla account for virustotal or for similar APIs? If not, I can go ahead and start development with a personal account.

@g-k
Copy link

g-k commented Jun 23, 2017

@abhinadduri Thanks for picking this up! You can probably register for a public one for testing/development.

I bet we'll hit the 4 requests/minute limit for a public API key quickly and want a private one. @jvehent does cloud services security/secops have one? I don't think we do. EIS or RelEng might have keys too. We might as well look into getting another one, since this is a different use case.

Not sure what privacy/security review this project has undergone, but we might need to add a notice saying we'll send hashes of your unencrypted files to VT somewhere too.

@jvehent
Copy link

jvehent commented Jun 23, 2017 via email

@abhinadduri
Copy link
Collaborator

abhinadduri commented Jun 24, 2017

@jvehent In that case, should I move this issue to a later (maybe v2) milestone?

@jvehent
Copy link

jvehent commented Jun 25, 2017

That seems reasonable to me.

@dannycoates
Copy link
Contributor

@g-k should we be using this service for simple rate limiting or something else?

@g-k
Copy link

g-k commented Jul 11, 2017

@dannycoates it can be used for rate limiting or blocking actions from IPs with poor reputation. It's up to the application to decide what to do with the reputation data.

@ghost ghost modified the milestones: Stretch, Dedicated Dingo (July 14) Jul 14, 2017
@ghost ghost unassigned abhinadduri Jan 22, 2018
@ghost
Copy link
Author

ghost commented Jan 22, 2018

@g-k are you still interested in writing a patch for this? :)

@g-k
Copy link

g-k commented Jan 23, 2018

@wresuolc I can. Is Send graduating from Testpilot?

@ghost
Copy link
Author

ghost commented Jan 23, 2018

I think it's going to stay in Test Pilot for the short term. @johngruen is there a party line for Send graduation?

@ioistired
Copy link

Isn't the whole point of end to end crypto that users can send whatever they want? How would we tell if people upload malware, short of them sharing the link online? What if a security researcher repeatedly uses the same IP to send samples to a friend? Just my two cents here.

@dannycoates
Copy link
Contributor

@bmintz we wouldn't discriminate on content. We'd likely use this to limit abuse of bandwidth and storage.

@ioistired
Copy link

@dannycoates so what's this about VirusTotal? In what situations would that come in to play?

@dannycoates
Copy link
Contributor

so what's this about VirusTotal?

Old news. The very early design included the hash of the unencrypted file. Now we use GCM to ensure the file's integrity and have no knowledge of the file contents or metadata (aside from size).

This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

5 participants