Devise user enumeration mitigations #2
Comments
|
Hi Eliot, I'm glad that the project has its first contributor :) I agree that Devise's paranoid mode is relevant to mitigate user enumeration. However, the Devise wiki says
I haven't recommended turning on paranoid mode because it may give developers a false sense of security against user enumeration while the registerable module is stull vulnerable. A possible way to avoid this is to include a checklist item recommending turning on paranoid mode along with a code sample regarding the implementation of a captcha. Blocking an IP after creating a few users would not be effective if the attacker distributes the user enumeration process amongst multiple IPs (e.g. a botnet). What do you think? |
|
I found a How To: Use Recaptcha with Devise in the Devise Wiki. |
|
@eliotsykes This issue is highly relevant. Do you intend to submit a PR? I'm asking because if you don't, I'll do it... Thank you. |
|
Sorry I haven't had time to think through the (re)captcha solution.
I've had this concern too. In the end I decided to be clear about the registration exclusion in the text, see diff https://github.com/eliotsykes/rails-security-checklist/pull/26/files |
|
And sorry I forgot to answer your PR question, please go ahead and take it on if you wish. |
|
Nice text on your checklist. Thanks for sharing :) |
|
Done! f9142d3 |
Hi, I think this section of the checklist might benefit from updating as from what I can tell Devise has further user enumeration mitigations that are disabled by default. For more see eliotsykes/rails-security-checklist#21 where I'm trying to update another checklist with a similar issue. HTH.
The text was updated successfully, but these errors were encountered: