OK, I see a few possibilities here. Some folks want 'which' restricted
tightly, others want it a bit more open. One proposal was to introduces a
complicated maze of conditions on when a which is allowed to happen. I
think any solution needs to be simple.
Some observations:
* I don't think limiting the search string to parts of the sending address
preserves any of the functionality that people need 'which' for. Plus
it's meaningless for all but the email interface.
* For the same reason, allowing extra privilege for a blank which
(i.e. match the address I'm sending from exactly) doesn't help.
* the owner can limit access by interface by using the access control
language, so some of this goes away at the expense of disabling which
entirely.
* 'which' isn't really the only way to see which lists you're subscribed
to; the lists command works, too (but it doesn't show you exactly what
address you're subscribed as).
* 'who' is trivially extended to take a string or regex to match against; I
intend for this to be the way that owners grep their lists. List owner
privileges do not override global access restrictions, so 'which' can
never be a good interface for owners to grep their lists.
* The security risks come from people being able to do 'which a' and
systematically pull out large chunks of your list. There are a couple of
ways to combat this:
The access frequency restrictions which Chuq and I discussed a couple of
months back. I haven't done any work on these, but it is (I think)
really easy to wedge them in. These would clamp down on the constant
accesses that the large number of 'which' requests would generate.
A limitation that you get no output at all unless the search string
matches less than some small number of addresses. This requires search
refinement; a user who thinks they know most of the address they joined
as could probably give enough to narrow the search down to a single
address. A malicious person would have to send a whole bunch of requests
to get more than a couple of addresses.
I think that limitation might just be the way to do it. I can't see any
holes in it, and the only technique to reveal list members takes so
incredibly long that it's not feasible. Especially when coupled with
frequency restrictions and the following:
* Limitations on substring search length do work; if you limit it to three
letters, a search already takes 26^3 (17000+) which requests if you don't
restrict the number of matches as above, many more if you do. Uncommon
letter removal lowers this somewhat, but the attack is still pretty
infeasible.
* Limitations on regex length are meaningless; you can always pad out a
regex with metacharacters. I suggest that regex searching be password
restricted. List owners can always use the extended 'who' command to
search by regex.
So, my proposal:
which skips unadvertized lists. Otherwise the names of the hidden lists
are easily exposed; this is simpler than exposing even a single address
from a known list.
which=regex is restricted.
which=substring (the default) requires at least N (N >= 3) characters in
the search string. Smaller strings are restricted.
No matches are reported if more than M (list owner's choice; M=1 is
perfectly feasible) matches would result without password authorization.
Access frequency restrictions (which will eventually be added to the code)
will be used to clamp down on the remaining attacks.
By 'restricted', I mean that the owner will get the choice of how to deal
with the request by examining variables in the access restriction
language. The default will be to deny the request if any of them are
violated.
Note that 'which' requests can generate confirmation tokens, but not on a
per-list level. (A real mess would ensue as a pile of tokens are generated
for each which request.) One of the global moderators must deal with them.
One question is how 'which' should interact with address hiding. 'who'
already can hide an address (exposing the full name, or nothing) depending
on what flags the subscriber has chosen. I think this would just get in
the way, since the utility of 'which' is in exposing addresses. But if you
want to be hidden, perhaps you understand the consequences.
- J<
Follow-Ups:
References:
|
|
