What would be the flow of a secure online win code activation mechanism?
up vote
0
down vote
favorite
Imagine a campaign where a visitor with a unique win-code from a product package can win immediately by entering just the code. The client wants email etc. after validating the winning code. This is uncommon, but much more sympathetic as opposed to demanding email and personal data before checking if one has won i.m.h.o.
So, the flow for the visitor would be:
[ ENTER CODE ]
!win -> [ TOO BAD ]
win -> [ CONGRATULATIONS ] -> [ ENTER PERSONAL DATA ]
This scenario would mean a brute force bot could try codes until the response would differ, implying a winning code. Would you use/build a (re)captcha?
How would you protect from flooding? An attacker could easily spoof IP / UserAgent for every request.
Is it even possible to protect such a mechanism in this flow?
forms validation security brute-force data-protection
asked Nov 8 at 13:17
JosFabre
5871611
add a comment |
up vote
0
down vote
favorite
Imagine a campaign where a visitor with a unique win-code from a product package can win immediately by entering just the code. The client wants email etc. after validating the winning code. This is uncommon, but much more sympathetic as opposed to demanding email and personal data before checking if one has won i.m.h.o.
So, the flow for the visitor would be:
[ ENTER CODE ]
!win -> [ TOO BAD ]
win -> [ CONGRATULATIONS ] -> [ ENTER PERSONAL DATA ]
This scenario would mean a brute force bot could try codes until the response would differ, implying a winning code. Would you use/build a (re)captcha?
How would you protect from flooding? An attacker could easily spoof IP / UserAgent for every request.
Is it even possible to protect such a mechanism in this flow?
forms validation security brute-force data-protection
asked Nov 8 at 13:17
JosFabre
5871611
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
Imagine a campaign where a visitor with a unique win-code from a product package can win immediately by entering just the code. The client wants email etc. after validating the winning code. This is uncommon, but much more sympathetic as opposed to demanding email and personal data before checking if one has won i.m.h.o.
So, the flow for the visitor would be:
[ ENTER CODE ]
!win -> [ TOO BAD ]
win -> [ CONGRATULATIONS ] -> [ ENTER PERSONAL DATA ]
This scenario would mean a brute force bot could try codes until the response would differ, implying a winning code. Would you use/build a (re)captcha?
How would you protect from flooding? An attacker could easily spoof IP / UserAgent for every request.
Is it even possible to protect such a mechanism in this flow?
forms validation security brute-force data-protection
asked Nov 8 at 13:17
JosFabre
5871611
Imagine a campaign where a visitor with a unique win-code from a product package can win immediately by entering just the code. The client wants email etc. after validating the winning code. This is uncommon, but much more sympathetic as opposed to demanding email and personal data before checking if one has won i.m.h.o.
So, the flow for the visitor would be:
[ ENTER CODE ]
!win -> [ TOO BAD ]
win -> [ CONGRATULATIONS ] -> [ ENTER PERSONAL DATA ]
This scenario would mean a brute force bot could try codes until the response would differ, implying a winning code. Would you use/build a (re)captcha?
How would you protect from flooding? An attacker could easily spoof IP / UserAgent for every request.
Is it even possible to protect such a mechanism in this flow?
forms validation security brute-force data-protection
forms validation security brute-force data-protection
asked Nov 8 at 13:17
JosFabre
5871611
asked Nov 8 at 13:17
JosFabre
5871611
asked Nov 8 at 13:17
JosFabre
5871611
asked Nov 8 at 13:17
JosFabre
5871611
asked Nov 8 at 13:17
JosFabre
5871611
5871611
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
1
down vote
General question, general answer...
Better to make the code long enough that this becomes infeasible.
Consider the threat model: why would someone go to the effort of doing this? Are the payouts that high?
There's no point in an attacker spoofing IPs as they would never see the responses, and they can't spoof IP with TLS & HTTP anyway (they can hide behind a proxy, but that's not spoofing). So long as the number of proxies/IPs is much smaller than the number of possible codes, you shouldn't have a problem limiting by IP.
You could make requests expensive - use a challenge-response system to make clients do a huge number of hash iterations to rate-limit requests (see hashcash). If it takes 1 second, that limits the potential request rate significantly, but doesn't penalise real users excessively.
answered Nov 8 at 13:55
Synchro
17.3k85271
Thanks for your answer. I didn't know about hashcash yet.
– JosFabre
Nov 8 at 14:25
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
General question, general answer...
Better to make the code long enough that this becomes infeasible.
Consider the threat model: why would someone go to the effort of doing this? Are the payouts that high?
There's no point in an attacker spoofing IPs as they would never see the responses, and they can't spoof IP with TLS & HTTP anyway (they can hide behind a proxy, but that's not spoofing). So long as the number of proxies/IPs is much smaller than the number of possible codes, you shouldn't have a problem limiting by IP.
You could make requests expensive - use a challenge-response system to make clients do a huge number of hash iterations to rate-limit requests (see hashcash). If it takes 1 second, that limits the potential request rate significantly, but doesn't penalise real users excessively.
answered Nov 8 at 13:55
Synchro
17.3k85271
Thanks for your answer. I didn't know about hashcash yet.
– JosFabre
Nov 8 at 14:25
add a comment |
up vote
1
down vote
General question, general answer...
Better to make the code long enough that this becomes infeasible.
Consider the threat model: why would someone go to the effort of doing this? Are the payouts that high?
There's no point in an attacker spoofing IPs as they would never see the responses, and they can't spoof IP with TLS & HTTP anyway (they can hide behind a proxy, but that's not spoofing). So long as the number of proxies/IPs is much smaller than the number of possible codes, you shouldn't have a problem limiting by IP.
You could make requests expensive - use a challenge-response system to make clients do a huge number of hash iterations to rate-limit requests (see hashcash). If it takes 1 second, that limits the potential request rate significantly, but doesn't penalise real users excessively.
answered Nov 8 at 13:55
Synchro
17.3k85271
Thanks for your answer. I didn't know about hashcash yet.
– JosFabre
Nov 8 at 14:25
add a comment |
up vote
1
down vote
up vote
1
down vote
General question, general answer...
Better to make the code long enough that this becomes infeasible.
Consider the threat model: why would someone go to the effort of doing this? Are the payouts that high?
There's no point in an attacker spoofing IPs as they would never see the responses, and they can't spoof IP with TLS & HTTP anyway (they can hide behind a proxy, but that's not spoofing). So long as the number of proxies/IPs is much smaller than the number of possible codes, you shouldn't have a problem limiting by IP.
You could make requests expensive - use a challenge-response system to make clients do a huge number of hash iterations to rate-limit requests (see hashcash). If it takes 1 second, that limits the potential request rate significantly, but doesn't penalise real users excessively.
answered Nov 8 at 13:55
Synchro
17.3k85271
General question, general answer...
Better to make the code long enough that this becomes infeasible.
Consider the threat model: why would someone go to the effort of doing this? Are the payouts that high?
There's no point in an attacker spoofing IPs as they would never see the responses, and they can't spoof IP with TLS & HTTP anyway (they can hide behind a proxy, but that's not spoofing). So long as the number of proxies/IPs is much smaller than the number of possible codes, you shouldn't have a problem limiting by IP.
You could make requests expensive - use a challenge-response system to make clients do a huge number of hash iterations to rate-limit requests (see hashcash). If it takes 1 second, that limits the potential request rate significantly, but doesn't penalise real users excessively.
answered Nov 8 at 13:55
Synchro
17.3k85271
answered Nov 8 at 13:55
Synchro
17.3k85271
answered Nov 8 at 13:55
Synchro
17.3k85271
answered Nov 8 at 13:55
Synchro
17.3k85271
17.3k85271
Thanks for your answer. I didn't know about hashcash yet.
– JosFabre
Nov 8 at 14:25
add a comment |
Thanks for your answer. I didn't know about hashcash yet.
– JosFabre
Nov 8 at 14:25
Thanks for your answer. I didn't know about hashcash yet.
– JosFabre
Nov 8 at 14:25
Thanks for your answer. I didn't know about hashcash yet.
– JosFabre
Nov 8 at 14:25
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53208560%2fwhat-would-be-the-flow-of-a-secure-online-win-code-activation-mechanism%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
