Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update exp back off endpoints #2330

Merged
merged 4 commits into from Jun 18, 2020
Merged

Conversation

sonalkr132
Copy link
Member

@sonalkr132 sonalkr132 commented Apr 25, 2020

Only endpoints with mfa need exp back off, extraneous endpoints were added in #2078

mfa create and udpate and api show actions use otp but were not in exp back off limits.

@sonalkr132
Copy link
Member Author

@sonalkr132 sonalkr132 commented Jun 15, 2020

Pasting my commit message here justifing reducing back off levels.

relaxing limits would ensure legitimate requests don't get throttled.

with max of 600 allowed req, otp key could be guessed at least once
with more than 50% probability after ~1180 trials[1]. Previously, it
would have taken (1180 * 1000000 seconds) 37 years, now it would take
(1180 * 90000 seconds) 3.3 years
. This should be good enough for our
purpose.

[1] trail - guessing otp key by trying all combinations in the given
period.
prob of success = no of keys tried/total possible keys = 600/100_000 =
0.0006

Suppose a binomial experiment consists of n trials and results in x
successes.
If the probability of success on an individual trial is P, then the
binomial probability is:
b(x; n, P) = nCx * P^x * (1 - P)^(n - x)

in our case, n = 1180, P = 0.0006, x = 1

b(1) = 1180 * 0.0006 * 0.9994^1179 = 0.34891620349

b(at least 1 success) = b(1) + b(2) + ... b(100_000) = 0.50747619524

sonalkr132 added 4 commits Jun 17, 2020
also, adds mfa create, update and api key show to exp back off
these endpoints use otp code in controller which can be brute forced
HO report for rate limit missing on mfa update:
https://hackerone.com/reports/797170
it was added to exp back off rate limit
relaxing limits would ensure legitimate requests don't get throttled.

with max of 600 allowed req, otp key could be guessed at least once
with more than 50% probability after ~1180 trials[1]. Previously, it
would have taken (1180 * 1000000 seconds) 37 years, now it would take
(1180 * 90000 seconds) 3.3 years. This should be good enough for our
purpose.

[1] trail - guessing otp key by trying all combinations in the given
period.
prob of success = no of keys tried/total possible keys = 600/100_000 =
0.0006

Suppose a binomial experiment consists of n trials and results in x
successes.
If the probability of success on an individual trial is P, then the
binomial probability is:
b(x; n, P) = nCx * P^x * (1 - P)^(n - x)

in our case, n = 1180, P = 0.0006, x = 1

b(1) = 1180 * 0.0006 * 0.9994^1179 = 0.34891620349

b(at least 1 success) = b(1) + b(2) + ... b(100_000) = 0.50747619524
@sonalkr132 sonalkr132 merged commit 4260a9e into rubygems:master Jun 18, 2020
1 check passed
@sonalkr132 sonalkr132 deleted the mfa-profile-edit branch Jun 18, 2020
@sonalkr132 sonalkr132 temporarily deployed to staging Jun 18, 2020 Inactive
@sonalkr132 sonalkr132 temporarily deployed to production Jun 22, 2020 Inactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants