Rate Limiting Clig Creation
Today a friendly Cligs user emailed me with a description of a weakness in Cligs. The weakness basically means that Cligs is suceptible to automated attacks that can potentially bog down the site. I’ve been thinking about a different but related issue, and today’s email prompted me to act quickly before someone not so nice does something.
So as of just now, the Cligs system has a built-in rate limit of creating up to 5 new cligs every minute. If you create cligs at a faster rate, Cligs will ask you to fill out a captcha form. A captcha is an image with a funnily-written image that you need to read and type into the form. Automated robots (bots) cannot fill out that form and so this check stops automation dead.
The question with measures like this is as follows: what is the balance between user convenience (i.e. not overly aggressive checking) and security (i.e. vigilant checking)? I set the balance at 5 new cligs every minute because it’s unlikely a human being would do that. Comments and thoughts welcome below.
Cligs Mailing List
@cligs on Twitter
September 29th, 2008 at 1:34 am
5 cligs/minute is far enough. If I face the difficulty of creating 8 cligs/minute (impossible), then I will fill out the captcha form.
September 29th, 2008 at 2:18 am
You’re referring to me right? (look at my IP). Well, I still can’t access the main page. Lol.
September 29th, 2008 at 7:12 am
If enough humans hit the rate limit, then it’s not a good rate limit and needs to be raised.
@Andrew, yes, it was you - thanks! The block has been lifted
Pierre
September 29th, 2008 at 7:55 am
I’m totally fine with that. Can’t imagine that I’d ever create five a minute, and wouldn’t mind a captcha if I did.
Great service; thank you.
September 29th, 2008 at 2:36 pm
Well that seems to be OK.
Or better yet make it 6 - it’s the number of characters of “cli.gs” LOL I just thought of some relation of the number.