-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Registered usernames that are duplicates or invalid should trigger aggressive warning #119
Comments
|
sorry for the lack of clarity. re: alert banners, the closeable design here is our final decision. note that the alert text in figma is slightly different than the screenshot here. I clarified the issue description above. If a registered user sees a duplicate username with another registered user we can show them the same warning as anybody else because it's strong enough, though in an ideal world we would tell them "hey, somebody is impersonating you." |
It's strongly emphasized that we should ignore actual certificates or certificate requests duplicates if there are no messages signed by those and do not show the warning. Just making sure it's the case. |
Do you mean you recommend this? Can you tell me more? Two registered certificates with the same name is also a problem. If it's hard for some reason we could create an issue for this case and address it later. But I want to cover it because it indicates the registrar is misbehaving. |
@holmesworcester |
The important thing for security is how easy it is for the registrar to spoof messages. Is there a case where the owner could send spoofed messages without triggering the warning? |
no - owner has no such power - it has the power of breaking our rules for certificates as we talked - issuing more than one cert for same username etc. Thanks for clarification |
@holmesworcester one more question: |
Let's mark them with a red badge that says Warning and links to the same warning modal. Can we keep track of which one the user has seen first? If so we could hide messages from the other one entirely. |
That doesn't make sense to me - if I try to register user 'bartek' and it's taken, then I register user 'bart', if someone saw bartek first they will hide messages from bart, is that right? |
Why would bart and bartek be duplicates? |
There is some misunderstanding, I am preparing user stories atm that cover all the cases. I think that's the moment we stopped to understand each other.
That sentence means:
|
I think the public key should identify a user. To change a username, you could just reissue a certificate signing request with the same key. Once the certificate is issued and signed by a trusted source, then a new username is now associated with that public key. From a client's perspective all messages signed by that user's key could have the new username. |
Version: 2.0.3-alpha.0 I found two issues with how it's currently working:
Second problem should be easy to fix but first one is disconcerting. I get the popup and two users registered with the same username by:
This version is the first one in which I get to see this popup also I've tested it in previous versions. There are two possible why I only see it now:
As for design implementation from Figma - they are implemented correctly. |
PR for |
Version: 2.0.3-alpha.2 The issue with impersonation attack has been solved. I can no longer make this popup appear or register two users with the same username. While fixing this issue another thing break - new users joining while the Owner is offline don't get "Unregistered" tag anymore (it was working in previous versions). New issue is opened for that - #2050 as per discussion with @Kacper-RF |
We should validate that data written to the user table meets our criteria, and show an aggressive warning if it does not.
https://www.figma.com/file/TV9pF84Ob8pLYRLu83gNol/Joining-when-owner-is-offline?type=design&node-id=311-6979&mode=design&t=eS9WDLYpQNod1Acl-4
The text was updated successfully, but these errors were encountered: