~sircmpwn/sr.ht-discuss

Re: Supporting user groups/organizations on SourceHut

Details
Message ID
<3d1245ec-0765-4557-a937-d8356f00f0eb@www.fastmail.com>
DKIM signature
missing
Download raw message
On Sat, Feb 15, 2020, at 11:57, Simon Ser wrote:
> On Saturday, February 15, 2020 11:49 AM, Wolf480pl <wolf480@interia.pl> wrote:
> 
> > W dniu 15.02.2020 o 11:33, Noah Loomans pisze:
> >
> > > I wonder if groupnames are allowed to overlap with usernames? It could
> > > cause some confusion if both the user ~example and the group +example
> > > exist. Also, this could possibly be used for phishing as well. Imagine
> > > the group +example hosts their code at git.sr.ht/+example/project. Now
> > > an attacker could create git.sr.ht/~example/project, which looks the
> > > same but contains malicious code.
> >
> > Or they could creategit.sr.ht/+examp1e/project
> > or git.sr.ht/+exarnple/project.
> >
> > Depending on your font, these may be easily confusable with the original url.
> 
> There's also git.sr.ht/+exаmple, which is different from
> git.sr.ht/+example (Cyrillic "A").

Sourcehut doesn't support those characters in usernames. But it's a fair
point.

My point is that a URL which uses a ~ instead of a + doesn't reveal
itself after careful examining of the URL. You would have to know if the
real repo uses a ~ or + in the URL, which isn't always obvious.

But I just realized that you if you don't already know if the real URL
uses a group or a user, you probably also don't know what the exact name
would be. One might create a fake +example-oss group when the real group
was called ~example.

So I guess this isn't really a concern. (Although I can't think of a
valid reason to create a user and a group with the same name).
Export thread (mbox)