Open BillHodghead opened 7 years ago
From @gstaykova on June 30, 2017 14:11
@bhcrosslake , this issue discusses possible attacks through the SPSP server... which is no longer part of the architecture, as far as I know. Is the issue still relevant? Should it refer to the scheme adapter? What operational UI are you referring to?
Ultimately, this functionality should be implemented by a central quote passing service, but we don't have that at this time. Processing the quote messages is done by scheme adapter, which should fire an event that there is a problem. We could choose to put throttling there now, but it doesn't make sense to do so when the code will probably be moved later. Let's move this to Phase2. The DFSP operational UI is at http://
From @bhcrosslake on January 12, 2017 0:35
As a DFSP, I don't want other DFSPs to get a complete list of my user numbers.
This could be possible through a brute force attack on the SPSP Server. To prevent that, the SPSP server should implement a circuit breaker to throttle queries from DFSPs that repeatedly try user numbers that don't exist.
Acceptance Criteria
This is a relatively low priority story as it doesn't involve money gain/loss. It may ignored if it is accomplished through the central hub. see #336
Copied from original issue: LevelOneProject/Docs#337