Community Help

awilliams · ‎05-10-2015

I'm in a bit of a security mindset atm (see my latest idea post ) and I realized I actually have no idea how Canvas handles brute-forcing. Does anyone know this by chance? Is there a scaling delay on consecutive login attempts or an eventual lock-out point?

scottdennis · ‎05-10-2015

Hi Adam,

Please discuss this with your CSM. They can put you in touch with the right people to discuss this further. For most of the time that I have worked for Instructure I have been located within close proximity to our support folks and I hear them discussing this issues with customers and people evaluating Canvas all the time. What I would strongly advise you or anyone else reading this to please not do is subject production Canvas to brute force or denial attacks just to test the system. If you are interesting in doing that kind of testing we have ways to help you learn more without you trying to take the system down.

View solution in original post

scottdennis · ‎05-10-2015

Hi Adam,

Please discuss this with your CSM. They can put you in touch with the right people to discuss this further. For most of the time that I have worked for Instructure I have been located within close proximity to our support folks and I hear them discussing this issues with customers and people evaluating Canvas all the time. What I would strongly advise you or anyone else reading this to please not do is subject production Canvas to brute force or denial attacks just to test the system. If you are interesting in doing that kind of testing we have ways to help you learn more without you trying to take the system down.

awilliams · ‎05-10-2015

Thanks @scottdennis . I will ask during our next phone call. That is indeed a good point you mention about not taking it on our own to try and find out.

scottdennis · ‎05-10-2015

Hey Adam,

One other thought; every institutionally identified Canvas admin should now have access to the known issues space - great place for similar conversation.

awilliams · ‎05-10-2015

Interesting. I would not have thought to mention it there. I will keep this in mind for the future but for now your answer makes perfect sense. I can understand the desire to keep certain security details private between CSM and Admin but how would you feel about me reporting back what I find out from my CSM after our conversation next Friday to this group for others to benefit from? (PS. We love @ndittemore )

scottdennis · ‎05-10-2015

Hey awilliams

@ndittemore is awesome. You are in good hands there.

I like the idea of you reporting back here to the general community on what ultimately proved the best route to get the kind of information you are looking for. As you know we take security seriously. If in your testing of Canvas you uncover what you consider to be a vulnerability please report it to security@instructure.com rather than posting it here.

Thanks

millerjm · ‎05-13-2015

@scottdennis - how do we access the "known issues" space?

Thanks!

awilliams · ‎05-14-2015

Hey @millerjm , you can go to Browse->Places, and then type in "top" or you can type in "Top Known" in the search bar.

or

scottdennis · ‎05-14-2015

Hi Joni,

If you are not seeing the group via the method awilliams helpfully suggested, please notify your CSM. It should be visible to all institutional admins.

Does anyone know how Canvas handles brute-forcing?

Administrator

Subaccount Visualization (Using Lucidchart)

How long do you keep student user data in Canvas b...

How to setup Parent Observers with Guest accounts ...

How do I obtain a student total activity?

Enable for all users: Include Byte-Order Mark in C...

Subaccount Visualization (Using Lucidchart)

Moodle Access After Migrating to Canvas

Large Subaccount Restructures

Hide Next button on an Assignment?

jQuery in Beta?

You're signed out

Does anyone know how Canvas handles brute-forcing?

Community Help

View our top guides and resources: