Skip to content
GitLab
Closed
Issue created by Administrator@rootContributor1 of 1 checklist item completed1/1 checklist item

Thoughts That Sprung To Mind Around Security and Abuse

Created by: Grunet

Your issue

Thoughts That Sprung To Mind Around Security and Abuse

Want to preface by emphasizing I think this is a super neat idea that could be super beneficial to the community, and to thank everyone involved for their work on it.

When I was trying to wrap my head around what it was, I had a few thoughts spring to mind around security and abuse scenarios. I wanted to share them just to get them out of my head and better understand if they're actually pointing to anything.

Malicious Actor Posing as Someone Else

If someone malicious submits a request to join, maybe posing as someone else in the community and using their website but with a tiny difference that's hard to spot (like 1 letter off in the domain name, or other standard email phishing sort of techniques) that looks exactly like that person's actual website, it seems like they might be able to sneak in and then phish users of the webring.

Rough Idea to Combat Malicious Actor Posing as Someone Else

Add a out-of-band validation step to make sure the person is who they say they are (e.g. reaching out on one of the socials they offer. Presumably that's harder to manufacture replicas of? Not sure)

Link Destinations Being Masked are Challenging

Similar to the email phishing analogy above, it seems like it'd be hard for a user to safely evaluate whether or not to follow a previous/next/random link since you can't easily tell where it's going to take you or if it might be a malicious site.

Even with no malicious sites in the webring, there's also the concern of the webring's backend getting compromised and a malicious actor taking control of the redirection (e.g. for phishing) without anyone noticing.

Rough Idea to Combat Link Destinations Being Masked are Challenging

If there's some kind of independent way from the backend resource to monitor the redirects that are occurring (e.g. via gateway access logs) presumably it'd be possible to detect if something is going awry with them

Code of conduct

  • I agree to follow this project's code of conduct