|
|
|
|
|
|
by bqmjjx0kac
1719 days ago
|
|
|
I'm so confused by this use case (the traffic-saving one, not the malicious URL classifier). Why not store the "is-paying-customer" bit in a cookie? What are we using as the user identifier? Where does it come from, if not a cookie? Also, this client-side bloom filter kind of leaks your user database, supposing it's keyed on email addresses and your adversary has a gigantic list of email addresses, or is patient enough to enumerate them. |
|
|
You shouldn't trust the client. You probably don't want people to get access to paid features with a relatively easy tweak of cookies.
The client-side filter is more suitable for listing, say, malware URLs, as mostly the response is "no" (go ahead) instead of "maybe", which would require a bit more work (like, network requests) to check if it's blocked or not.