Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authentication is vulnerable to brute force attacks #29

Open
chfoo opened this issue Nov 2, 2014 · 1 comment
Open

Authentication is vulnerable to brute force attacks #29

chfoo opened this issue Nov 2, 2014 · 1 comment
Labels
bug

Comments

@chfoo
Copy link
Member

chfoo commented Nov 2, 2014

The authentication code throws HTTP 401 but it doesn't stall or block the client. This makes it feasible for a brute force attack since the tracker is well capable of handling more than 15000 requests per minute.
@chfoo chfoo added the bug label Nov 2, 2014
@chfoo
Copy link
Member Author

chfoo commented Nov 2, 2014

A work-around is to use rate limiting, on admin URLs, using the web server if supported.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@chfoo