On Friday, July 11, 2014, Daniel Kinzler daniel@brightbyte.de wrote:
Am 11.07.2014 17:19, schrieb Tyler Romeo:
Most likely, we would encrypt the IP with AES or something using a configuration-based secret key. That way checkusers can still reverse the hash back into normal IP addresses without having to store the mapping
in the
database.
There are two problems with this, I think.
- No forward secrecy. If that key is ever leaked, all IPs become "plain".
And it will be, sooner or later. This would probably not be obvious, so this feature would instill a false sense of security.
This is probably the biggest issue. Even if we hmac it, it's trivial to brute force the entire ipv4 (and with intelligent assumptions about generation, most of the ipv6) range in seconds, if the key was ever known.
- No range blocks. It's often quite useful to be able to block a range of
IPs. This is an important tool in the fight against spammers, taking it away would be a problem.
Range blocks, I imagine, would continue working the same way they do. Someone would have to identify the correct range (which is very difficult when administrators can't see IP's), but on submission, we have the IP address to check against the blocks. (Unless someone proposes to store block ranges as hashes, that would definitely get rid of range blocks).
-- daniel
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org javascript:; https://lists.wikimedia.org/mailman/listinfo/wikitech-l