[Tails-dev] Endless Data Attack and Defense

Hi!

I've been reading the Thandy design.

> Endless data attacks. An attacker responds to a file download request
with an endless stream of data, causing harm to clients (e.g. a disk
partition filling up or memory exhaustion).

Affected:
- tails_htp
- Tails security check perhaps?
- wherever else where you are using a scripted download (didn't check
more throughly than a fast grep for curl)

We're in luck. A fix doesn't appear to be that complicated. Curl
supports --max-time.

Adding a timeout between, well, 120 and 300 seconds?

Whatever a good timeout value would be, it's probable best not the hard
code let's say for example 120 seconds.

I think it may be best to add a random extra delay between maybe 0 and
300 seconds seconds so the attacker doesn't know for sure if Tor, the
wifi, the network broke down or if the user was using --max-time.

What do you think?

Cheers!
adrelanos