W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2021

Re: PoW (Re: Attack research on HTTP/2 implementations)

From: Erik Aronesty <erik@q32.com>
Date: Fri, 3 Sep 2021 11:53:10 -0400
Message-ID: <CAJowKg+LjyP5JzGWgKUfV-nKHrdOe_bpzEdiVmY=5+uuwyHSFw@mail.gmail.com>
To: Paul Vixie <paul@redbarn.org>
Cc: Nick Harper <ietf@nharper.org>, Erik Nygren <erik@nygren.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Martin Thomson <mt@lowentropy.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
a flexible, intelligent protocol could make it infeasible for an
attacker to bring down a server, while allowing regular traffic to
proceed virtually unhindered

but i'm arguing with people who have conflicts of interest, so i'm done.

On Fri, Sep 3, 2021 at 11:41 AM Paul Vixie <paul@redbarn.org> wrote:
> On Fri Sep 3, 2021 at 11:54 AM UTC, Erik Aronesty wrote:
> > > Proof of work ...
> i pronounce the acronym PoW differently, "proof of waste". perhaps it's
> not as wasteful if the computations are in the goldilocks zone, easy for
> actual clients, difficult for malicious or fake clients. but we'd be
> arguing matters of degree (how wasteful?) not kind (it's always wasteful.)
> > assuming the attacker has non-infinite resources, a 10x increase in
> > computation on the client during an attack results in a 10% increase
> > in overall computation
> attackers have elastic resources, they'll steal as much as they need. if
> we try to stop them with proof of waste, they will use botnets as necessary
> to waste as much as we demand. computation is not a rare or valuable asset.
> i do not predict a goldilocks zone in the latency requirements for PoW
> such that we can distinguish distributed vs. local computation by a client.
> consider captcha, which tries to rely on human "computation". attackers
> have at various times screen-scraped the captcha demand and shown it to a
> user of some "free porn" site they operate, and then copy out the clicks
> from that proxy-human, and use them to enter the original protected site.
> security engineering is not the same as theory or whiteboarding. at a
> minimum, it's necessary to understand the attacker's motives and
> alternatives before targeting them for a cost you hope is "too high".
> vixie
Received on Friday, 3 September 2021 15:58:37 UTC

This archive was generated by hypermail 2.4.0 : Friday, 3 September 2021 15:58:39 UTC