Hi! I've been reading the Thandy design.
> Endless data attacks. An attacker responds to a file download request with an endless stream of data, causing harm to clients (e.g. a disk partition filling up or memory exhaustion). Affected: - tails_htp - Tails security check perhaps? - wherever else where you are using a scripted download (didn't check more throughly than a fast grep for curl) We're in luck. A fix doesn't appear to be that complicated. Curl supports --max-time. Adding a timeout between, well, 120 and 300 seconds? Whatever a good timeout value would be, it's probable best not the hard code let's say for example 120 seconds. I think it may be best to add a random extra delay between maybe 0 and 300 seconds seconds so the attacker doesn't know for sure if Tor, the wifi, the network broke down or if the user was using --max-time. What do you think? Cheers! adrelanos _______________________________________________ tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev
