Integrate with the IP reputation service

[ghost]

@jvehent can you give us more details on how to do this? (links to docs?)

[jvehent]

@g-k is the reputation man.

[g-k]

Not sure what violations/abuse to expect, but we'd want to:

• define some violation types (e.g. multiple uploads from an IP that virustotal flags as malware)
• generate reputation service credentials per the "Adding a new service" section of https://mana.mozilla.org/wiki/x/9yuxAw
• integrate the js-client-library
• send IPs and violations to the reputation service
• check if an IP is reputable before certain actions like accepting an upload

I can write patches for the integration.

[abhinadduri]

@g-k Is there a mozilla account for virustotal or for similar APIs? If not, I can go ahead and start development with a personal account.

[g-k]

@abhinadduri Thanks for picking this up! You can probably register for a public one for testing/development.

I bet we'll hit the 4 requests/minute limit for a public API key quickly and want a private one. @jvehent does cloud services security/secops have one? I don't think we do. EIS or RelEng might have keys too. We might as well look into getting another one, since this is a different use case.

Not sure what privacy/security review this project has undergone, but we might need to add a notice saying we'll send hashes of your unencrypted files to VT somewhere too.

[jvehent]

I think we should keep this feature under the hood in case we run into abuse issues, or for the graduation from testpilot. It's a bit too much engineering for an experiment, I think.

[abhinadduri]

@jvehent In that case, should I move this issue to a later (maybe v2) milestone?

[jvehent]

That seems reasonable to me.

[dannycoates]

@g-k should we be using this service for simple rate limiting or something else?

[g-k]

@dannycoates it can be used for rate limiting or blocking actions from IPs with poor reputation. It's up to the application to decide what to do with the reputation data.

[ghost]

@g-k are you still interested in writing a patch for this? :)

[g-k]

@wresuolc I can. Is Send graduating from Testpilot?

[ghost]

I think it's going to stay in Test Pilot for the short term. @johngruen is there a party line for Send graduation?

[ioistired]

Isn't the whole point of end to end crypto that users can send whatever they want? How would we tell if people upload malware, short of them sharing the link online? What if a security researcher repeatedly uses the same IP to send samples to a friend? Just my two cents here.

[dannycoates]

@bmintz we wouldn't discriminate on content. We'd likely use this to limit abuse of bandwidth and storage.

[ioistired]

@dannycoates so what's this about VirusTotal? In what situations would that come in to play?

[dannycoates]

so what's this about VirusTotal?

Old news. The very early design included the hash of the unencrypted file. Now we use GCM to ensure the file's integrity and have no knowledge of the file contents or metadata (aside from size).