4.4 KiB
IF.TTT Security Hardening — Public Summary (IF.ARMOUR crossover)
Author: InfraFabric Research
Status: Summary (safe to share)
Updated: 2025-12-29
Version: 1.3 (summary)
Citation: if://doc/ifttt-security-hardening-summary/v1.3
This is a public summary of the internal hardening proposal:
- Internal full paper:
if://doc/ifttt-security-hardening/v1.3 - This summary intentionally omits operator details (hostnames, container IDs, internal network layout).
What problem this solves (black/white)
IF.TTT’s job is to publish receipts that survive skepticism:
- A source artifact →
source_sha256 - An output artifact →
output_sha256 - A trace record binding them →
trace_id+ publicshareId - Optional offline bundles →
lightweight/standard/full
Hardening is necessary because IF.TTT is exposed to adversarial pressure:
- spam and resource exhaustion
- scraping and tampering attempts
- epistemic attacks (“make the receipts look unreliable”)
- signer/key compromise attempts (the highest-value target)
Hardening does not mean “unhackable.” It means:
- failures are detected early
- damage is contained
- compromised components can be isolated
- receipts remain explainable and verifiable
The hostile-world assumption (required)
Operate as if:
- clients are adversarial
- the network is hostile
- servers will eventually have unknown vulnerabilities
- the goal is to protect the signing process and preserve an auditable record
IF.ARMOUR → IF.SECURITY.* (naming)
“IF.ARMOUR” is the research umbrella for adversarial hardening patterns.
In the product naming system, these patterns surface as:
IF.SECURITY.DETECT— detect abuse/anomaly patternsIF.SECURITY.CHECK— validate inputs, policies, integrityIF.SECURITY.WATCH— liveness/drift checks + escalation rulesIF.SECURITY.TRAP— honeypots/tarpits/deception
Control themes (what gets hardened)
1) Economic defenses (rate limits + PoW)
Goal: make bulk abuse expensive while keeping normal users fast.
Mechanisms:
- per-route rate limiting on public surfaces
- “proof-of-work” challenges for suspicious upload paths (optional, adaptive)
2) Honey-traces (canary receipts)
Goal: detect scrapers and receipt poisoning attempts by publishing decoy shareIds and measuring interaction patterns.
Mechanisms:
- decoy receipts that look valid but are tagged internally
- automated triage when decoys are accessed at scale
3) Tarpits / time vampires
Goal: consume attacker resources (time, concurrency) while extracting behavioral signals.
Mechanisms:
- deliberate slow paths for suspicious clients (bounded)
- jitter and challenge escalation for repeated probing
4) Swarm-Lock + Purgatory Protocol (containment)
Goal: if a component is suspected compromised or desynchronized, freeze before poisoning receipts.
Mechanisms:
- liveness checks and quorum-based gating for critical state
- “lock” mode that halts signing/publishing
- “purgatory” mode that isolates and requires explicit rejoin validation
5) Backups and survivability (two realities)
Reality A (single-host prototype):
- local backups and snapshots are adequate for early-stage iteration
Reality B (portable production profile):
- tiered backups (hot/warm/cold)
- optional replication to a secondary host (or later to cloud object storage)
- recovery procedures documented as part of the trust model
6) Verifier supply-chain hardening
Goal: the offline verifier must be trusted.
Mechanisms:
- publish hashes for verifier artifacts
- optionally sign verifier releases
- keep “what is verified” vs “what is not” explicit in tool output
What to expect (deployed vs planned)
Deployed (proof layer):
- public receipts + stable no-login aliases
- hash binding + signatures (including PQ receipts when available)
- offline verification path via triage bundles + verifier tooling
Planned (hardening layer):
- honey-traces and deception
- adaptive PoW + tarpits for abusive clients
- Swarm-Lock/Purgatory containment
- stronger backup tiers and survivability procedures
Why this matters
Without hardening, public receipts can become a new kind of theater:
- visible, but easy to undermine
- impressive, but fragile under adversarial pressure
With hardening, IF.TTT becomes:
- boring to operate
- legible to reviewers
- resilient under skepticism and abuse