El 14/02/18 a les 10:27, Axel Braun ha escrit: > Am Sonntag, 4. Februar 2018 00:30:05 UTC+1 schrieb Cédric Krier: >> On 2018-02-03 07:48, Axel Braun wrote: >>> Am Montag, 29. Januar 2018 23:25:07 UTC+1 schrieb Cédric Krier: >>>> On 2018-01-29 12:47, Axel Braun wrote: >>>>> I would like to discuss https://bugs.tryton.org/issue5375 with all >>>>> developers involved. >>>> >>>> All developers have already commented on the issue and we all agree that >>>> the proposal is wrong, solves nothing and weakens the brute force attack >>>> protection. >>> >>> We had a constructive and friendly discussion about the topic here: >>> https://bugzilla.opensuse.org/show_bug.cgi?id=1078111 >> >> What I read is that more people agree that the applied patch does not >> solve any issue and disable the brute force attack protection. > > Maybe you should read more carefully: The current implementation in Tryton, > that allows you to bring the whole system down by flooding the database with > login requests is rubbish (OK, the security team phrased it more politely)
Will be great if we all pharse our words more politely ;) In case of flodding, the system can be turned down when the server does not have enougth capacity to reply all the request. If you get such attacks, i think it's better to block the correponding ip. Indeed a new patch have been proposed to improve it: https://bugs.tryton.org/issue7110 I think this will work better for flooding attacks. > >>> The advise from the security team should be considered for a future patch. >> >> But more importantly, the applied patch on the OpenSUSE package must be >> removed ASAP to not expose OpenSUSE users of the Tryton package to brute >> force attack against their password. > > Dunno if you have read the link you have posted above > (https://www.schneier.com/blog/archives/2009/01/bad_password_se.html) > yourself, but the first comment already describes it pretty well. For me the important word on the posted link is *rapid-fire*. On tryton we have a timeout to prevent the rapid fire. Otherwise it will be possible to attach the with a brute force attack. > > Up to now we have no better patch in place. The proposed patch > https://codereview.appspot.com/335550043/ makes thing even worse. I think it's a sample implementation to show how the session management can be customized, so you can implement whatever you wan't on third party packages without patching trytond server. This allow end users to pick the most suitable solutions for them, which for me is a big benefit. -- Sergi Almacellas Abellana www.koolpi.com Twitter: @pokoli_srk -- You received this message because you are subscribed to the Google Groups "tryton-dev" group. To view this discussion on the web visit https://groups.google.com/d/msgid/tryton-dev/49f0c960-cfab-0cda-7734-a62bae3889f8%40koolpi.com.
