Gerard Meijssen wrote:
If we can cut down on 50% of the inaccurate blocks and
many of the
blanket blocks when an XFF header IS given, we achieve a much more fine
grained tool of hurting vandalism without having to resort to always
removing the blocks because of good people being hurt by it. When it is
not feasible because the chance of doctored information from malicious
users is too great it is not possible. But 50% more accuracy when
dealing with proxies sounds good to me.
I said 50% of open proxies, i.e. unsecured proxies. They're only used by
vandals, Chinese people, and the occasional user who accidentally put
one on their own computer. We already have a policy to block all such
proxies on sight, except on zh. I've never seen an ISP proxy give a
meaningful XFF header, although admittedly I haven't been looking too
closely.
XFF headers have been useful to us in the past, for example they allowed
us to prove that it was Wik who was running a vandalbot attacking meta.
This allowed us to put together a solid complaint to his ISP. It wasn't
a useful filter method, because he was using a combination of forwarding
and non-forwarding proxies.
In a few percent of cases, this feature may allow discrimination between
vandals and other users. But it also opens up a security vulnerability.
It allows any blocked user with a basic knowledge of HTTP to block any
IP address they wish, just by pasting things into a telnet window.
I think a much better tool to discriminate between vandals and other
users would be a username whitelist or "trusted user" metric. This
allows discrimination even in the more common cases of dynamic IP
addresses and non-forwarding proxies. I'm not prepared to spent any time
on a feature which will only be useful in a tiny fraction of cases, and
will open up a security flaw.
-- Tim Starling