Server pays the bill if accounts get compromised

[dappelt]

Related to ilp-plugin-btp/issues/4.

Quote from the mini-accounts readme (emphasis mine):

Any secret can be used to authenticate; it is then hashed and becomes your account identifier. This has the advantage of requiring no UI-based signup flow nor any database storing usernames and passwords. It has the disadvantage that password recovery cannot be done, and only randomly generated passwords should be used. Treat your credentials like you would treat a wallet secret for a cryptocurrency.

Comparing it to a wallet secret is not quite right. If a wallet is compromised, the owner of the wallet is out of funds. With mini-accounts, however, if a client's password is compromised the mini-accounts instance is out of funds.

Why? Let's assume an attacker gets a client's password. To steal money, he would authorize to mini-accounts with the stolen password and send a payment up to the bandwidth limit. Since he cannot send a valid claim, further payments are rejected and he cannot steal more (which should not be much, but free money yay). If any legitimate (sane) client realizes that the account is compromised the only option is to close the paychan/account (sending another claim is not an option since the attacker still has the password and it cannot be changed). mini-accounts never got that last claim, so it is out the bandwidth.

So it is really in the best interest of mini-accounts that client passwords are not compromised.

[dappelt]

cc @emschwartz @sharafian

[sharafian]

prefunding should solve this issue. Can we close this?