On Oct 17, 2013, at 5:24 PM, Monica Chew <[email protected]> wrote: > Having a verified email address at a big webmail provider provides some > guarantee by proxy that a human is behind the address (or at least has > figured out how to abuse the account creation system at the mail provider). > > http://www.blackhatworld.com/blackhat-seo/seo-other/72970-youtube-gmail-hotmail-yahoo-accounts-highest-quality-lowest-price.html
This is a good point. We should always try to take advantage of the fraud and abuse work already done by big IdPs wherever possible. -chris > For unknown domains this question is harder. By the way, is Mozilla planning > to provide email addresses? > > Monica > > ----- Original Message ----- >> >> On Oct 17, 2013, at 4:44 PM, Ryan Kelly <[email protected]> wrote: >> >>> >>> Hi All, >>> >>> >>> The current Firefox Accounts API does not have any protections around >>> account-creation - you submit an email address and password, click the >>> verification link, and you're done. >>> >>> Should we be looking to add a captcha or similar into this flow to >>> limit signups to Real Humans Only? >>> >> >> No CAPTCHAs. We're not going to push our problems on our users. >> >> Which means we need a solution for our problems. So, yeah, I'd prefer some >> rating limiting approach. >> >> I'm not so strongly opposed to context dependent CAPTCHAs or similar things, >> e.g., a user has attempted 5 failed logins and the next one is going to >> require some extra work. >> >> -chris >> >> >>> My instinct says no, as we've not had a good experience with captchas >>> in the past - IIRC correctly there was a bug filed to disable them in >>> the Sync account creation flow because they were more trouble than not. >>> >>> The alternative is to do request-level rate limiting, which is already >>> in the works and could easily be special-cased to add stronger limits on >>> the account-creation API. >>> >>> >>> Thoughts? >>> >>> >>> Ryan >>> _______________________________________________ >>> Sync-dev mailing list >>> [email protected] >>> https://mail.mozilla.org/listinfo/sync-dev >> >> _______________________________________________ >> Sync-dev mailing list >> [email protected] >> https://mail.mozilla.org/listinfo/sync-dev >> _______________________________________________ Sync-dev mailing list [email protected] https://mail.mozilla.org/listinfo/sync-dev
