This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Send email notifications about new logins #4196
Comments
This was referenced Nov 21, 2021
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Uh oh!
There was an error while loading. Please reload this page.
Is your feature request related to a problem? Please describe.
Supply chain attacks via password reuse or cookie theft are becoming increasingly commonplace. Currently crates.io lacks some basic mitigations that the other package registries have already rolled out.
Describe the solution you'd like
An email notification should be sent to the address registered on crates.io on every login. This informs the user in case of account compromise and gives them an opportunity to react. At present an account compromise would go completely undetected.
Email notifications for new logins is already standard practice - for example, Google does that.
Describe alternatives you've considered
Github currently does not send email notifications about new logins; it might be possible to ask Github to implement this feature instead. However, doing this on crates.io level is still worthwhile even if Github implemented it, because doing this on crates.io level would also protect from Github cookie theft.
Additional context
Supply chain attacks are becoming increasingly commonplace. Just last month four high-profile NPM packages have been compromised, with the
ua-parser-jsbeing the most widely used.The attackers have flooded the maintainers' inboxes with spam to distract them from NPM email notifications, but it has merely delayed the discovery of the compromise. As of right now a similar compromise on crates.io would go completely undetected.
See also: #4195, #4197 for other basic mitigations. No single one is sufficient on its own; they have to be used in tandem.
The text was updated successfully, but these errors were encountered: