Mattia Verga via devel wrote: > Il 19/02/22 19:38, Björn Persson ha scritto: > > Zbigniew Jędrzejewski-Szmek wrote: > >> I think it'd be better to check the status weekly and only require > >> account reconfirmation if the quarantine status is detected ⌊N / 7 - 1⌋ > >> times in a row (where N=quarantine length in days). > > It will be fine as long as it's done before the domain is released for > > registration. Let's just not make it so tight that a little unscheduled > > downtime can open an attack window. > > > But this covers just the case where a domain is expired and free to take. Correct. I'm not saying it would be a panacea. > I agree this would be the easiest attack vector, but what about if it's > the user email only to expire and free to take? There are (at least, I'm > sure there were) some free email services that expire email addresses > not used for a year or so. Also, in a previous comment in this thread, > someone pointed out that also email addresses from universities or other > institutions can be "recycled". These are harder attack cases, but > they're possible. Do these services and institutions publish lists of expired email addresses and dates when they will be recycled? In that case they could be handled the same way as expired domains. > That's why I proposed a check against user activity rather than a check > against domain or email reachability. Doing one does not prevent doing the other. Disabling inactive user accounts makes sense because abandoned accounts are more likely targets for takeover. It can be expected to reduce the risk somewhat, but it's not a reliable way to prevent takeovers entirely. Zbigniew said that some registries use quarantine times as short as 14 days. You can't disable packagers just because they take a two-week vacation. Monitoring for expired domains is a reliable way to eliminate one attack vector, but not other attack vectors. Other countermeasures against other attack vectors are also needed. Existence of other attack vectors is not a valid argument against eliminating one attack vector. Björn Persson
Attachment:
pgpavaJ_LJWTc.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure