brokerAuth.request() also sends tiny proof of ownership

[staltz]

Problem: avoid spam from attackers trying to use the room alias. If anyone with a new app can input my alias, then that could cause a popup on my app asking for approval. The popups can get too intrusive if it's about an attacker and I have to reject them every time.

Idea: When the new app sends brokerAuth.request() it can also send a partial proof that it owns the same SSB ID, sort of like a "password". It could be the 1st word in the 24 words phrase. The "proofword".

This would create a lot more friction to brute force attacks because the room can detect that an attacker is calling too many brokerAuth.request()s and ban the attacker based on SSB ID or IP. And even in the worst case where the attacker guesses the correct 1st word (out of 2048 words), the effect is not a breach, it's simply that the old app would show the popup asking for permission.

[Powersource]

my cryptography senses are tingling that this isn't a great idea but i can't back that up lol

[staltz]

I miss keks for those kinds of things