Roundup Tracker - Issues

Message5783

Author ThomasAH
Recipients ThomasAH, ber, ezio.melotti, luke, rouilj
Date 2016-07-08.07:16:44
Message-id <20160708084433.856086972.thomas@intevation.de>
In-reply-to <20160707120120.2009D80631@vm71.cs.umb.edu>
* John Rouillard <issues@roundup-tracker.org> [20160707 14:01]:
> Also the user has the option of specifying the email address they want
> the recovery password sent to. If they specified an email address,
> should we mask it?

Yes, unless implementing the check is trivial.

> Should we return an error if the user supplies an invalid lookup email
> address rather than a username? I think my answer is no don't return
> an error but...
> 
> However we probably should always provide a positive response even if
> the username they asked for is invalid. Asking for a reset for the

I agree!

> user "donny" who doesn't exist should result in:
> 
>    Email has been sent to d**ny@rx*****.**m
> 
> The domain part of the result can be made up from random words/chars.

But it has to stay the same for every time a potential attacker asks
for the same username again, otherwise he could just ask twice and
see if the result changes.

But if we want to do this, the made-up domain part would have to be
the most commonly used domain in the tracker, otherwise it would be
easy to verify the existence of many accounts if a tracker has e.g.
70% users in domain "intevation.de" and we always send "m" at the
end:

donny -> d....@............m  (probably does not exist)
thomas -> t.....@............e (confirmed to exist)

Sounds a bit complicated?
Then maybe it is a bad idea to send obfuscated addresses?
Not sure.

> >This sometimes is really annoying, so I would prefer to only have this
> >as an option (if at all), not the default, as the default behavior of
> >roundup is a public tracker, even if we mostly use non-public trackers.
> 
> Agreed, it will be an tracker option maybe:
> 
>      mask_recovery_email = yes/no

I'd rather want three settings:
    foo_bar_option_name = show/hide/mask

> or even:
> 
>      recovery_email_mask_character = *
>
> default not set and no masking happens. If set to a character, masking
> happens using that character.

I don't think configuring the mask character is needed :)
And (ab)using such a setting for disabling/enabling the feature is
confusing.

> >To make the obfuscation yield more privacy, I suggest obfuscating more,
> >especially in the username part, as this often includes the real name of
> >people.
> >
> >What about replacing everything with dots, except for the first
> >character of the localpart, the @ and the last character of the domain
> >(and the dots :)), e.g.:
> >
> >user@example.com -> u...@..........m
> >user@example.net -> u...@..........t
> >firstname@example.com -> f........@..........m ->
> >firstname.lastname@ntvtn.de -> f.................@.......e
> 
> I am worried that that is too little info. I was trying to find a mask
> that displays places where there is likely to be a lot of variation in
> the unmasked bits. But still making enough to prevent somebody who
> won't know the original input from making an email address from
> it. Hence trying to include a couple of bytes of info around both
> sides of the @ sign.
> 
> I think if we can get a mask that allows for 5-10 plausible variations
> in email addresses we have done our job.
> 
> If it's a targeted attack against a specific user where the attacker
> has a lot of background knowledge, anything that would be useful to
> the actual account owner will also be useful to the attacker so...
> 
> Also I think losing the structure of the email address (i.e. what is a
> . in the address vs. what is a masking dot) is a problem as well, but
> setting a different "masking_character" config option allows the
> tracker admin to choose.
> 
> Maybe
> 
>   user@example.com -> u.er@ex........m
>   user@example.net -> u.er@ex........t
>   firstname@example.com -> f......me@ex........m ->
>   firstname.lastname@ntvtn.de -> f...............me@nt.....e
> 
> I have the same username at most places. The start of the domain spec
> is where the high entropy bits are located for my addresses.

Then it is even more important to mask more of the domain part, here
are two of your real addresses and five (probably) fictional addresses:

r...lj@us.........t
r...lj@cs.......u
r...lj@gm......m
r...lj@go...........m
r...lj@ho........m
r...lj@ms....m
r...lj@gm...e  (this one is a bit tricky for people outside Germany,
                but it is quite common here, maybe you know it)

You can clearly distinguish the first two real addresses.
Can you guess what the other five addresses are?
Could you still guess them with more masking?

r.....@........m
r.....@.............m
r.....@..........m
r.....@......m
r.....@.....e

But if you know that you have addresses at gmail.com,
googlemail.com, hotmail.com, msn.com and gmx.de, you can still
distinguish them. Not at a glance, but if you really need to know,
you can count the dots (or stars) and compare them to your addresses.
History
Date User Action Args
2016-07-08 07:16:46ThomasAHsetrecipients: + ThomasAH, ber, rouilj, ezio.melotti, luke
2016-07-08 07:16:46ThomasAHlinkissue2550716 messages
2016-07-08 07:16:44ThomasAHcreate