++the EFF for more ideas, they are actively doing great work on so-called
perfect forward secrecy.
There are simple things we could do to achieve a better balance between
privacy and sockpantsing, such as cryptolog [1], in which IP addresses are
hashed using a salt that changes every day. In theory, nobody can reverse
the function to reveal the IP, but you can still correlate all of an
address's edits for the day, week, or whatever, making CheckUser possible.
IP range blocking obviously needs to happen up-front, before the IP is
mangled. I have no suggestions, but maybe browser and preferences
fingerprinting would be more effective anyway, since: tor.
-Adam
[1]
On Fri, Jul 11, 2014 at 8:45 AM, Chris Steipp <csteipp(a)wikimedia.org> wrote:
On Friday, July 11, 2014, Daniel Kinzler
<daniel(a)brightbyte.de> wrote:
Am 11.07.2014 17:19, schrieb Tyler Romeo:
> Most likely, we would encrypt the IP with AES or something using a
> configuration-based secret key. That way checkusers can still reverse
the
hash back
into normal IP addresses without having to store the mapping
in the
database.
There are two problems with this, I think.
1) No forward secrecy. If that key is ever leaked, all IPs become
"plain".
And
it will be, sooner or later. This would probably not be obvious, so this
feature
would instill a false sense of security.
This is probably the biggest issue. Even if we hmac it, it's trivial to
brute force the entire ipv4 (and with intelligent assumptions about
generation, most of the ipv6) range in seconds, if the key was ever known.
2) No range blocks. It's often quite useful to be able to block a range
of
IPs.
This is an important tool in the fight against spammers, taking it away
would be
a problem.
Range blocks, I imagine, would continue working the same way they do.
Someone would have to identify the correct range (which is very difficult
when administrators can't see IP's), but on submission, we have the IP
address to check against the blocks. (Unless someone proposes to store
block ranges as hashes, that would definitely get rid of range blocks).
-- daniel
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org <javascript:;>
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l