Comments (3)
abramsymons
commented on July 18, 2024
To make sure I have a correct understanding, you use removed collection to have access to timestamp of delete connection request. Otherwise if someone connect to another one and then delete that connection, as we don't have timestamp of delete connection request, someone can replay the first connection request.
Otherwise replay attacks are possible, e.g. I can repeatedly remove someone from a group if they left it at some point in the past and rejoined
We can simply solve this by comparing the remove request timestamp by join timestamp that is recorded in the usersInGroups. But just like in connection, more challenging scenario is when you leave a group after joining and there is no timestamp data for leaving as record is deleted. Therefor we need another collection for recording timestamps for leaving group requests.
If I understand the issue correctly, I think this issue is related to the issue #38 .
I think if we record all requests from the users with their signature in one place, we can avoid replay attacks without adding a new collection for removed records for any create/delete connection/membership/group.
from brightid-node.
adamstallard
commented on July 18, 2024
To make sure I have a correct understanding, you use removed collection to have access to timestamp of delete connection request. Otherwise if someone connect to another one and then delete that connection, as we don't have timestamp of delete connection request, someone can replay the first connection request.
Exactly right
We can simply solve this by comparing the remove request timestamp by join timestamp that is recorded in the usersInGroups. But just like in connection, more challenging scenario is when you leave a group after joining and there is no timestamp data for leaving as record is deleted. Therefor we need another collection for recording timestamps for leaving group requests.
Yes.
If I understand the issue correctly, I think this issue is related to the issue #38 .
I think if we record all requests from the users with their signature in one place, we can avoid replay attacks without adding a new collection for removed records for any create/delete connection/membership/group.
I think so, too. We may even be able to deprecate the "removed" collection, or we may keep such extra collections around just to have better performance for these kind of checks.
from brightid-node.
abramsymons
commented on July 18, 2024
We are checking operation hashes instead of timestamp to avoid any operation be replayed.
The hash is calculated for current operations based on operation_name + message where message includes timestamp too.
from brightid-node.
Related Issues (20)
- Use a single secret key for the node configuration
- Linking a contextId that's too long makes `signed=eth` unusable for other contextIds HOT 1
- redesign channel limits of profile service HOT 1
- get app generated ids in different expiration periods
- a bug in the consensus service
- remove constant parts of the wISchnorrPublic from GET /state
- support linking with Ethereum-signed messages for the soulbound apps
- limit the number of operations that every user/app should be able to send in a duration
- there is an issue in the "recovery connections" tests
- don't send duplicate sponsor operations
- [DRAFT] Change channel expiration behaviour HOT 2
- add appsOperationsLimit
- automate app registry HOT 3
- Sponsoring by contract should be able to accept both "HTTP" and "WS" PRC endpoints
- Adopt signature linking to v6
- Backend for recovery by seed phrase
- Stop calculating a verification per user for each app/expression in scorer
- Use incremental backup/restore for snapshots
- Remove other signing keys after social recovery
- Simplify Sponsoring
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from brightid-node.