Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update exp back off endpoints #2330

Merged
merged 4 commits into from
Jun 18, 2020
Merged

Update exp back off endpoints #2330

merged 4 commits into from
Jun 18, 2020

Conversation

sonalkr132
Copy link
Member

Only endpoints with mfa need exp back off, extraneous endpoints were added in #2078

mfa create and udpate and api show actions use otp but were not in exp back off limits.

@sonalkr132
Copy link
Member Author

Pasting my commit message here justifing reducing back off levels.

relaxing limits would ensure legitimate requests don't get throttled.

with max of 600 allowed req, otp key could be guessed at least once
with more than 50% probability after ~1180 trials[1]. Previously, it
would have taken (1180 * 1000000 seconds) 37 years, now it would take
(1180 * 90000 seconds) 3.3 years. This should be good enough for our
purpose.

[1] trail - guessing otp key by trying all combinations in the given
period.
prob of success = no of keys tried/total possible keys = 600/100_000 =
0.0006

Suppose a binomial experiment consists of n trials and results in x
successes.
If the probability of success on an individual trial is P, then the
binomial probability is:
b(x; n, P) = nCx * P^x * (1 - P)^(n - x)

in our case, n = 1180, P = 0.0006, x = 1

b(1) = 1180 * 0.0006 * 0.9994^1179 = 0.34891620349

b(at least 1 success) = b(1) + b(2) + ... b(100_000) = 0.50747619524

@sonalkr132
Remove endpoints without mfa from exp backoff
bb58b9e 
also, adds mfa create, update and api key show to exp back off
these endpoints use otp code in controller which can be brute forced
HO report for rate limit missing on mfa update:
https://hackerone.com/reports/797170
@sonalkr132
Remove api key from generic rate limit
d8eaeb8 
it was added to exp back off rate limit
@sonalkr132
Move rate limit methods to helper
99ad429
@sonalkr132
reduce exp back off level and increase base limit
cf18f41 
relaxing limits would ensure legitimate requests don't get throttled.

with max of 600 allowed req, otp key could be guessed at least once
with more than 50% probability after ~1180 trials[1]. Previously, it
would have taken (1180 * 1000000 seconds) 37 years, now it would take
(1180 * 90000 seconds) 3.3 years. This should be good enough for our
purpose.

[1] trail - guessing otp key by trying all combinations in the given
period.
prob of success = no of keys tried/total possible keys = 600/100_000 =
0.0006

Suppose a binomial experiment consists of n trials and results in x
successes.
If the probability of success on an individual trial is P, then the
binomial probability is:
b(x; n, P) = nCx * P^x * (1 - P)^(n - x)

in our case, n = 1180, P = 0.0006, x = 1

b(1) = 1180 * 0.0006 * 0.9994^1179 = 0.34891620349

b(at least 1 success) = b(1) + b(2) + ... b(100_000) = 0.50747619524
@sonalkr132 sonalkr132 merged commit 4260a9e into rubygems:master Jun 18, 2020
@sonalkr132 sonalkr132 deleted the mfa-profile-edit branch June 18, 2020 05:08
@sonalkr132 sonalkr132 temporarily deployed to staging June 18, 2020 05:50 Inactive
@sonalkr132 sonalkr132 temporarily deployed to production June 22, 2020 17:50 Inactive
@sonalkr132 sonalkr132 mentioned this pull request Jul 14, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@colby-swandale colby-swandale colby-swandale approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sonalkr132 @colby-swandale