undefined | Better HN

0 pointsserial_dev2y ago0 comments

> In gitlabs case this is much less relevant (...)

Why, though? GitLab is often self hosted, so being able to iterate through objects, like users, can be useful for an attacker.

0 comments

yellowapple2y ago

In my experience self-hosted GitLabs are rarely publicly-accessible in the first place; they're usually behind some sort of VPN.

As for an attacker being able to iterate through users, if that information is supposed to be private, and yet an attacker is getting anything other than a 404, then that's a problem in and of itself and my energy would be better spent fixing that.

Anon10962y ago

This is again a defense in depth thing. In the age of WFH, cracking a corporate VPN is really not that difficult. If you can make an attacker's life harder for low cost you should do it just in case.

yellowapple2y ago

Except you ain't really putting up a meaningful obstacle against an attacker here. Compared to the typical effort of cracking a corporate VPN, brute-forcing IDs is downright trivial.

Like I said elsewhere: it's like calling ROT13 "defense in depth".

remus2y ago

You're right, fair point.

j / k navigate · click thread line to collapse

0 comments

yellowapple2y ago

In my experience self-hosted GitLabs are rarely publicly-accessible in the first place; they're usually behind some sort of VPN.

Anon10962y ago

This is again a defense in depth thing. In the age of WFH, cracking a corporate VPN is really not that difficult. If you can make an attacker's life harder for low cost you should do it just in case.

yellowapple2y ago

Except you ain't really putting up a meaningful obstacle against an attacker here. Compared to the typical effort of cracking a corporate VPN, brute-forcing IDs is downright trivial.

Like I said elsewhere: it's like calling ROT13 "defense in depth".

remus2y ago

You're right, fair point.

j / k navigate · click thread line to collapse