On Fri, Dec 28, 2012 at 1:26 AM, Sumana Harihareswara <sumanah@wikimedia.org
wrote:
TL;DR: A few ideas follow on how we could possibly help legit editors contribute from behind Tor proxies. I am just conversant enough with the security problems to make unworkable suggestions ;-), so please correct me, critique & suggest solutions, and perhaps volunteer to help.
The current situation:
https://en.wikipedia.org/wiki/Wikipedia:Advice_to_users_using_Tor_to_bypass_... We generally don't let anyone edit or upload from behind Tor; the TorBlock extension stops them. One exception: a person can create an account, accumulate lots of good edits, and then ask for an IP block exemption, and then use that account to edit from behind Tor. This is unappealing because then there's still a bunch of in-the-clear editing that has to happen first, and because then site functionaries know that the account is going to be making controversial edits (and could possibly connect it to IPs in the future, right?). And right now there's no way to truly *anonymously* contribute from behind Tor proxies; you have to log in. However, since JavaScript delivery is hard for Tor users, I'm not sure how much editing from Tor -- vandalism or legit -- is actually happening. (I hope for analytics on this and thus added it to https://www.mediawiki.org/wiki/Analytics/Dreams .) We know at least that there are legitimate editors who would prefer to use Tor and can't.
People have been talking about how to improve the situation for some time -- see http://cryptome.info/wiki-no-tor.htm and https://lists.torproject.org/pipermail/tor-dev/2012-October/004116.html
I'm probably one of the many "Wikipedia folks" mentioned there, as I had a conversation about the issue with Roger Dingledine at 26C3 (where I subsequently gave a talk about Checkuser and sockpuppets). My impression back then was that while there was quite a lot of goodwill by smart Tor people to help Wikipedia find a solution, they were assuming a wrong threat model - basically just trying to reimplement IP autoblocks for Tor users, while ignoring the kind of abuse that is the reason for the existence of the Checkuser extension (and I am not confident that I was able to change that with my talk). The linked October 2012 thread still seems to assume that the problem is just "spammers using Tor".
. It'd be nice if it could actually move forward.
Thanks a lot for restarting this discussion, in any case. I would love to see a solution that enables editing Wikipedia via Tor, but I strongly recommend consulting Checkusers while developing it.
I've floated this problem past Tor and privacy people, and here are a few ideas:
- Just use the existing mechanisms more leniently. Encourage the
communities (Wikimedia & Tor) to use https://en.wikipedia.org/wiki/Wikipedia:Request_an_account (to get an account from behind Tor) and to let more people get IP block exemptions even before they've made any edits (< 30 people have gotten exemptions on en.wp in 2012). Add encouraging "get an exempt account" language to the "you're blocked because you're using Tor" messaging. Then if there's an uptick in vandalism from Tor then they can just tighten up again.
- Encourage people with closed proxies to re-vitalize
https://en.wikipedia.org/wiki/Wikipedia:WOCP . Problem: using closed proxies is okay for people with some threat models but not others.
- Look at Nymble - http://freehaven.net/anonbib/#oakland11-formalizing
and http://cgi.soic.indiana.edu/~kapadia/nymble/overview.php . It would allow Wikimedia to distance itself from knowing people's identities, but still allow admins to revoke permissions if people acted up. The user shows a real identity, gets a token, and exchanges that token over tor for an account. If the user abuses the site, Wikimedia site admins can blacklist the user without ever being able to learn who they were or what other edits they did. More: https://cs.uwaterloo.ca/~iang/ Ian Golberg's, Nick Hopper's, and Apu Kapadia's groups are all working on Nymble or its derivatives. It's not ready for production yet, I bet, but if someone wanted a Big Project....
As Brad and Ariel point out, Nymble in the form described on the linked project page does not seem to allow long-term blocks, and cannot deal with dynamic IPs. In other words, it would only provide the analogue of autoblock functionality for Tor users. The linked paper by Henry and Goldberg is more realistic about these limitations, discussing IP addresses only as one of several possible "unique identifiers" (§V). From the concluding remarks to that chapter, it seems most likely that they would recommend "some form of PKI or government ID-based registration" for our purposes.
3a) A token authorization system (perhaps a MediaWiki extension) where the server blindly signs a token, and then the user can use that token to bypass the Tor blocks. (Tyler mentioned he saw this somewhere in a Bugzilla suggestion; I haven't found it.)
- Allow more users the IP block exemption, possibly even automatically
after a certain number of unreverted edits, but with some kind of FlaggedRevs integration; Tor users can edit but their changes have to be reviewed before going live. We could combine this with (3); Nymble administrators or token-issuers could pledge to review edits coming from Tor. But that latter idea sounds like a lot of social infrastructure to set up and maintain.
Thoughts? Are any of you interested in working on this problem? #tor on the OFTC IRC server is full of people who'd be interested in talking about this.
-- Sumana Harihareswara Engineering Community Manager Wikimedia Foundation
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l