Skip to content

Update exp back off endpoints#2330

Merged
sonalkr132 merged 4 commits intorubygems:masterfrom
sonalkr132:mfa-profile-edit
Jun 18, 2020
Merged

Update exp back off endpoints#2330
sonalkr132 merged 4 commits intorubygems:masterfrom
sonalkr132:mfa-profile-edit

Conversation

@sonalkr132
Copy link
Copy Markdown
Member

@sonalkr132 sonalkr132 commented Apr 25, 2020

Only endpoints with mfa need exp back off, extraneous endpoints were added in #2078

mfa create and udpate and api show actions use otp but were not in exp back off limits.

@sonalkr132
Copy link
Copy Markdown
Member Author

sonalkr132 commented Jun 15, 2020

Pasting my commit message here justifing reducing back off levels.

relaxing limits would ensure legitimate requests don't get throttled.

with max of 600 allowed req, otp key could be guessed at least once
with more than 50% probability after ~1180 trials[1]. Previously, it
would have taken (1180 * 1000000 seconds) 37 years, now it would take
(1180 * 90000 seconds) 3.3 years. This should be good enough for our
purpose.

[1] trail - guessing otp key by trying all combinations in the given
period.
prob of success = no of keys tried/total possible keys = 600/100_000 =
0.0006

Suppose a binomial experiment consists of n trials and results in x
successes.
If the probability of success on an individual trial is P, then the
binomial probability is:
b(x; n, P) = nCx * P^x * (1 - P)^(n - x)

in our case, n = 1180, P = 0.0006, x = 1

b(1) = 1180 * 0.0006 * 0.9994^1179 = 0.34891620349

b(at least 1 success) = b(1) + b(2) + ... b(100_000) = 0.50747619524

@sonalkr132
Remove endpoints without mfa from exp backoff
bb58b9e 
also, adds mfa create, update and api key show to exp back off
these endpoints use otp code in controller which can be brute forced
HO report for rate limit missing on mfa update:
https://hackerone.com/reports/797170
@sonalkr132
Remove api key from generic rate limit
d8eaeb8 
it was added to exp back off rate limit
@sonalkr132
Move rate limit methods to helper
99ad429
@sonalkr132
reduce exp back off level and increase base limit
cf18f41 
relaxing limits would ensure legitimate requests don't get throttled.

with max of 600 allowed req, otp key could be guessed at least once
with more than 50% probability after ~1180 trials[1]. Previously, it
would have taken (1180 * 1000000 seconds) 37 years, now it would take
(1180 * 90000 seconds) 3.3 years. This should be good enough for our
purpose.

[1] trail - guessing otp key by trying all combinations in the given
period.
prob of success = no of keys tried/total possible keys = 600/100_000 =
0.0006

Suppose a binomial experiment consists of n trials and results in x
successes.
If the probability of success on an individual trial is P, then the
binomial probability is:
b(x; n, P) = nCx * P^x * (1 - P)^(n - x)

in our case, n = 1180, P = 0.0006, x = 1

b(1) = 1180 * 0.0006 * 0.9994^1179 = 0.34891620349

b(at least 1 success) = b(1) + b(2) + ... b(100_000) = 0.50747619524
@sonalkr132 sonalkr132 merged commit 4260a9e into rubygems:master Jun 18, 2020
@sonalkr132 sonalkr132 deleted the mfa-profile-edit branch June 18, 2020 05:08
@sonalkr132 sonalkr132 temporarily deployed to staging June 18, 2020 05:50 Inactive
@sonalkr132 sonalkr132 temporarily deployed to production June 22, 2020 17:50 Inactive
@sonalkr132 sonalkr132 mentioned this pull request Jul 14, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@colby-swandale colby-swandale colby-swandale approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sonalkr132 @colby-swandale