search

brackets-archive / bracketsIssues

Archive of issues in brackets.
0 stars 0 forks source link

[CLOSED] Modify Health Data URL #9556

Open core-ai-bot opened 3 years ago

core-ai-bot commented 3 years ago

Issue by prafulVaishnav Friday Apr 10, 2015 at 06:44 GMT Originally opened as https://github.com/adobe/brackets/pull/10867

prafulVaishnav included the following code: https://github.com/adobe/brackets/pull/10867/commits

core-ai-bot commented 3 years ago

Comment by MarcelGerber Friday Apr 10, 2015 at 12:02 GMT

Wasn't it meant to be a https:// URL? cc@peterflynn

core-ai-bot commented 3 years ago

Comment by abose Friday Apr 10, 2015 at 12:06 GMT

HTTPS is still in the works; Procuring the SSL certificates will take a bit more time. Brackets will be using HTTPS by release.

core-ai-bot commented 3 years ago

Comment by lenovouser Friday Apr 10, 2015 at 12:28 GMT

@peterflynn@MarcelGerber Just a quick reminder / question. With the possibility of everyone reading the source code of brackets there is probably also a big risk of someone spamming your health data server with unnecessary data and crashing it / exceeding the HDD limit for data. I don't know if you have any protection for that, but I guess not.

core-ai-bot commented 3 years ago

Comment by abose Friday Apr 10, 2015 at 13:12 GMT

There are reasonable restrictions set at the server to handle these cases. But you can share any suggestions on defending against spam/other issues you find that could be a risk to the server.

core-ai-bot commented 3 years ago

Comment by lenovouser Friday Apr 10, 2015 at 13:49 GMT

Well you could of course restrict the amount of health data / IP. Maybe also obfuscate the implementation somehow.

core-ai-bot commented 3 years ago

Comment by abose Friday Apr 10, 2015 at 14:43 GMT

yep. Also regarding obfuscating the client implementation, we didn't want to do that as code transparency is one of the primary requirements in logging user data. Any anyone could review what data is being sent and be confident that brackets is not doing something funny.

core-ai-bot commented 3 years ago

Comment by lenovouser Friday Apr 10, 2015 at 15:25 GMT

Okay, yeah I do understand that. I am thinking of a way to generate some UUID verification maybe per MAC address but that is probably way to complicated and at some point unnecessary.

core-ai-bot commented 3 years ago

Comment by peterflynn Friday Apr 10, 2015 at 18:15 GMT

Most metrics systems out there use a fairly simple protocol that could be sniffed and spoofed too. I think the main defense really has to be detecting outliers later when you're analyzing the data. It's essentially impossible to solve solely on the client side (because the problem fundamentally is that you're not able to trust the client). So let's not worry about it for now.

The only thing that seems like a simple fix is rate-limiting: if we see more than ~2 pings with the same UUID in a 24-hour period, something is wrong and we should discard the extra ones. @abose that's something to consider but I'm not sure it's worth doing anything yet.

core-ai-bot commented 3 years ago

Comment by abose Friday Apr 10, 2015 at 18:48 GMT

Yes, we could detect any anomalies when processing the logs.Duplicate uuid's in the same day could be weeded out & if someone is determined to break that, he could always spam with random generated uuid's. If a large number of new uuid's are detected, it means someone spammed the system. And a firewall could do the security heavy lifting.