++the EFF for more ideas, they are actively doing great work on so-called perfect forward secrecy.
There are simple things we could do to achieve a better balance between privacy and sockpantsing, such as cryptolog [1], in which IP addresses are hashed using a salt that changes every day. In theory, nobody can reverse the function to reveal the IP, but you can still correlate all of an address's edits for the day, week, or whatever, making CheckUser possible.
IP range blocking obviously needs to happen up-front, before the IP is mangled. I have no suggestions, but maybe browser and preferences fingerprinting would be more effective anyway, since: tor.
-Adam
[1] https://git.eff.org/?p=cryptolog.git;a=summary
On Fri, Jul 11, 2014 at 8:45 AM, Chris Steipp csteipp@wikimedia.org wrote:
On Friday, July 11, 2014, Daniel Kinzler daniel@brightbyte.de wrote:
Am 11.07.2014 17:19, schrieb Tyler Romeo:
Most likely, we would encrypt the IP with AES or something using a configuration-based secret key. That way checkusers can still reverse
the
hash back into normal IP addresses without having to store the mapping
in the
database.
There are two problems with this, I think.
- No forward secrecy. If that key is ever leaked, all IPs become
"plain".
And it will be, sooner or later. This would probably not be obvious, so this feature would instill a false sense of security.
This is probably the biggest issue. Even if we hmac it, it's trivial to brute force the entire ipv4 (and with intelligent assumptions about generation, most of the ipv6) range in seconds, if the key was ever known.
- No range blocks. It's often quite useful to be able to block a range
of
IPs. This is an important tool in the fight against spammers, taking it away would be a problem.
Range blocks, I imagine, would continue working the same way they do. Someone would have to identify the correct range (which is very difficult when administrators can't see IP's), but on submission, we have the IP address to check against the blocks. (Unless someone proposes to store block ranges as hashes, that would definitely get rid of range blocks).
-- daniel
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org javascript:; https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l