Wikipedia talk:Open proxies

A confused editor gives a technical perspective on the policy of hardblocking open proxies

I've been reading, trying to figure out where the broad consensus that hardblocking, rather than softblocking, anonymous proxies is necessary comes from. I'm a computer scientist, and it deeply offends my sensibilities that Wikipedia, a Layer 7 application, makes decisions about me based on my choice of Layer 3 address. I can appreciate the cleverness of using IP addresses as credentials for anonymous users, and understand the need for IP blocks to fight anonymous vandals, but if a user has an account, they're just as easy to block no matter what IP they're logging in from.

The lone exception I've been able to find is in WP:ABK. This is an interesting and, once again, technically clever system, but it's clearly a hack; it relies on certain aspects of the Internet Protocol that are usually true but not guaranteed. The advent of mobile computing has forced me as a computer scientist to start dealing with situations where a user's session is not tied to a single IP at all, but could roam between multiple IPs, which is not a trivial issue to deal with (especially over UDP or other unreliable transport: barrels of ink have been spilled over handling this problem in VPN protocols). I typically carry a second IP in my pocket (my iPhone's LTE is as fast as my cable, albeit more expensive), and I can obtain a new one from my cable company at will by tweaking my router's MAC address. IPv6 has already been officially turned on, and it typically hands out thousands or millions of IP addresses to every customer; IPv6-only clients can connect to IPv4 servers using 6to4 or Teredo gateways, which mask their "real" IP just as effectively as anonymous proxies do; since they aren't actually HTTP proxies, though, don't expect the X-Forwarded-For header to solve all your problems!

In short, blocking anything that breaks Autoblock is short-sighted and misguided. Wikipedia is one of the pioneers of the internet community, and it has a responsibility to encourage new and innovative uses of technology, not hinder them because they require more effort to control.

It seems to me that the IPEXEMPT flag would strike a good balance between automatic sockpuppet prevention and ease-of-use, but current policy is that this flag is given only in "exceptional circumstances," requires trusting an editor with an "admin tool," and that it can be revoked preemptively. I don't understand how this flag could be treated as such a sensitive tool. A minimal level of human (admin) verification needed to assign this flag to an account, on par with the scrutiny for receiving rollback, would effectively prevent the creation of sockpuppet armies, and prevent the use of stolen accounts (which would probably not have applied for the IPEXEMPT flag). (If more assurance that an account would not be stolen in the future were needed, it would be simple to require a prospective IPEXEMPT editor to have a committed identity.)

I'm interested in the community's thoughts on this subject. It's my hope that I can provide a valuable technical viewpoint to the consensus-building process.

MrNerdHair (talk) 07:24, 1 March 2013 (UTC)

@MrNerdHair: It's been nearly 7 years and no one has responded to your concern. Sad. I completely concur. For the last couple of years my ISP has no longer given me a unique public IP address, I only have an internal 10.x.x.x address and I'm routed in a NAT-like fashion through a public IP that is shared with many other customers (dozens, or possibly hundreds—who knows). Wikipedians are actively hunting down all the IP addresses of VPNs (even paid ones, see below) and blocking them too. Even while logged in with my email verified I have to disable my VPN in order to edit Wikipedia or even post on a talk page. I think that policy is putting editors' privacy at risk and it's discouraging me from contributing. — SimonEast (talk) 05:35, 12 January 2020 (UTC)

I agree with you, indeed no reason to tie to IP adress for any purpuses at all. The first priority should always be the wikipedia ID and only as latest measure should be the list of restrictions by IP, which means there is no way to authenticate the user. Sanaris (talk) 22:30, 15 March 2020 (UTC)

I don't see the rationale behind the ban for registered autoconfirmed users as well, and this hurts me too since I live under an oppressive censoring government (so i have to use a proxy for my day-to-day browsing to avoid blocks), but Wikipedia administration have dismissed my request to give me an exempt w/o providing any reasoning in their decision. Since no one seems to react to the contents of this talk page, is there a better place to discuss such policies? L29Ah (talk) 21:30, 30 March 2020 (UTC)

@L29Ah and SimonEast: I'd recommend a previous response by me further down this page. The short answer to this concern is that autoconfirmed is not any type of barrier, because we often see that anyone can achieve multiple accounts with this status. You then end up with multiple accounts running across multiple proxies. I'd also give a tip for any future discussions: any proposal which involves converting all hard blocks to soft blocks is unlikely to work. Also, there is rarely such a monolith as 'Wikipedia administration', so I would also recommend sending your request to me by email, if you'd like it seriously considered. -- zzuuzz ^(talk) 22:23, 30 March 2020 (UTC)

Eight years and no solution

Can someone explain to me why nobody has found a way to let long-standing logged-in editors use proxies and VPNs. I've read through both pages of comments and nobody seems to want to fix this. Also MrNerdHair's valid comments above haven't been so much as answered. 阝工巳几千凹父工氐 (talk) 03:15, 21 July 2013 (UTC)

VPN's usually aren't blocked unless they offer a free trial. This page seems to have few watchers... Sailsbystars (talk) 01:07, 4 April 2014 (UTC)

Proactive proxy hunting

Is there any reason why we can't get subscriptions to paid open proxy servers in an effort to identify exactly which IPs are available so that we can block them? GabeMc ^{(talk|contribs)} 17:15, 26 May 2014 (UTC)

I believe something like that is how ProcseeBot (talk · contribs) operates, but it only catches one type of proxy that it can immediately and automatically verify.... web proxies, OTOH suffer from an inverse problem in that it's hard to establish with certainty that it is a proxy. Sailsbystars (talk) 21:08, 26 May 2014 (UTC)

This is now the official policy on open proxies

I just rearranged some articles to say that this page is the official policy on open proxies. I trust this is not controversial. I did not actually change content here.

I did this because Wikipedia:Blocking_IP_addresses#Open_proxies, a "consensus page" which is weaker than those tagged as Wikipedia:Policies and guidelines, says to go here for more information. This page previously said that for more information, one should go to Wikipedia:Blocking_policy#Open_or_anonymous_proxies, which is a policy page just like this one. That page said to come here for details, but since all of the information on the topic is here, it should note that this is the main page. Wikipedia policy pages should be set up so that one page claims to be the main policy, and other pages refer to that page as the main policy. This is how I rearranged things. The "blocking" page is about blocking generally, and is not really about open proxies, and the IP address page is about something else too. This is the most relevant page, so I made the other pages refer to this one when talking about open proxies.

The changes that I made are to say that conversations about open proxies, for blocking or otherwise, should go here in this talk forum, and that this is the page where people read policy on open proxies and not elsewhere. Blue Rasberry (talk) 01:18, 17 December 2014 (UTC)

I am not sure what you are talking about, but I know that somebody has been going around "fixing" articles so that tens of thousands of people with ordinary Los Angeles Public Library cards can no longer get access to check on the sources for the scores of articles I have written about L.A. topics. If you think this improves the encyclopedia, you are definitely wrong. It stinks: Take it from one who has BeenAroundAWhile (talk) 15:11, 13 January 2020 (UTC)

Why Wikimedia, Inc. should not care about IPv4 addresses

I would like to suggest that IPv4 addresses are no longer a good way to identify users. Most ISPs assign a new IPv4 address periodically (usually, every disconnection from the ISP introduces a new IPv4 address and many ISPs assign a new address at least once every 72 hours, the DHCP default). Because ISPs are no longer allocated sufficient IPv4 addresses to assign a separate address to each connected device, ISPs have begun to use port reassignment (the same as VPNs and Proxies). With port reassignment, users connect to the ISP via an intranet IPv4 address (which can appear to be an ordinary IPv4 address) and the ISP connects the user to the internet via a range of source ports on an internet IPv4 address. Thousands of user devices can use the same IPv4 address. IPv4 addresses are still useful for identification of the company that connects a user or device to the internet.

US law was changed earlier this year to allow ISPs to sell user information and trace logs, without notice to users. This includes source and destination IP addresses for every connection and (when available) the Latitude and Longitude from which the user is making the connection. This applies even to HTTPS connections. This has caused many of us to turn to VPNs for all internet use.

For both security and privacy reasons, most US internet users and all mobile connection users (any type of radio connection) should be connected via an encrypted connection to the internet. Radio connections are easily hackable, so an ISP or intermediary that accepts encrypted routing (IP packet) headers is necessary. Encrypted connection to one's ISP or mobile telephone provider is rarely available.

Requiring HTTPS connections, login IDs, and passwords, and the use of email to confirm each login ID is much more reliable. HTTP connections allow easy packet insertion hacks. If you require an email confirmation for connections that are from a provider the user has not used before, that provides some additional identity assurance beyond the password, if the user's connection to the provider is encrypted. But a provider that accepts unencrypted communication from users (like most ISPs) is not reliable assistance in identifying users. Drbits (talk) 01:04, 9 November 2017 (UTC)

Thanks for the detailed explanation @Drbits:. I completely agree. As I noted in my previous comment above, my ISP no longer provides me with my own IPv4 address, I have to share it with dozens, if not hundreds/thousands of other customers. And I cannot edit via a paid VPN because that is also considered a transport for abuse. *sigh* — SimonEast (talk) 05:50, 12 January 2020 (UTC)

Why requiring VPN disconnection is a problem

For security reasons, disconnecting from a VPN often also disables internet connection from most programs. This is not just inconvenient, but it also temporarily blocks antivirus updates, file synchronization, and other security measures.

More sophisticated computer users can greatly improve system security by only leaving the VPN port open in the firewall. Drbits (talk) 01:19, 9 November 2017 (UTC)

It looks to me as though all these legitimate complaints about VPN blocking are being systematically ignored. There is no valid reason that confirmed registered users, when logged in, should be blocked from editing, just because of their IP address. I'm starting to believe that some administrators are compulsively and closed-mindedly pressing forward with this policy, "Don't confuse us with the facts". The only plausible explanations I can come up with for this prolonged behavior are... — well, understandably human, but... — still not all that flattering. Respectfully, you guys need to review what you're doing, here.--IfYouDoIfYouDon't (talk) 09:30, 22 November 2018 (UTC)

I understand the concern about traceability, but requiring logins eliminates that. The only other thing I can think of is the concern over DDOS attacks - but those would apply to access to all of the organization's assets. Drbits (talk) 03:27, 19 February 2020 (UTC)

@Drbits, User:IfYouDoIfYouDon't it has gotten very ugly. Two Wikipedia editors were arrested in Saudi Arabia and who knows if it may have had something to do with the inability to use vpn. There is a discussion in Wikipedia:Village pump (WMF)/Archive 6#Saudi Arabia arrests two Wikipedia adminstors. Thinker78 (talk) 01:31, 9 January 2023 (UTC)

This is so dumb.

I'm trying to get into the Los Angeles Public Library website so I can check on a source for an article I posted. Here is what I got, a big message about "Proxies." https://en.wikipedia.org/w/index.php?title=Bernard_Cohn_(politician)&action=submit I've noticed that somebody within the past few years has gone around and messed with ALL the LAPL library sources, and now I can't see the sources for all the articles I've created, and I've done a few hundred or more. I have GOT to be able to check the sources, and so does everybody else. What is the purpose of this? It seems to have been done with no notice to anybody. Sincerely, BeenAroundAWhile (talk) 01:29, 27 September 2019 (UTC)

Autoconfirmed editors should be allowed to edit through proxies.

Autoconfirmed editors should be allowed to edit through proxies. They've already shown that they're not vandals. Blocking them does nothing but prevent constructive edits. Benjamin (talk) 05:34, 29 September 2019 (UTC)

I'm not sure if this is an answer to my rant above, but if it means I can get back to my Los Angeles Public Library sources (as could anybody else with a Los Angeles Public Library card), I'm in favor of it. BeenAroundAWhile (talk) 05:38, 29 September 2019 (UTC)

I would agree @Benjaminikuta:. Blocking not only open-proxies but any and all VPNs even for autoconfirmed editors does seem like a great overkill and puts editors' privacy and security at risk. Sadly, it doesn't appear that anyone of influence is reading the posts on this page. Perhaps there's a better location to raise these concerns. — SimonEast (talk) 05:46, 12 January 2020 (UTC)

Thanks for the reply. Perhaps we could start an RfC? But I'm not so familiar with the procedure. Benjamin (talk) 09:10, 12 January 2020 (UTC)

The appropriate place to start would probably be WP:VP. Speaking as someone who deals with abusive sockpuppets and sometimes partially helps to implement this policy, I'd say two things: First, autoconfirmed is no barrier and we often have to deal with multiple autoconfirmed sock farms hopping around multiple proxies. Second, before thinking about a RfC, have a good read of WT:IPBE, which is closely intertwined with this policy. -- zzuuzz ^(talk) 14:26, 13 January 2020 (UTC)

How banned are VPNs?

"using a VPN to edit is not permitted."

This was news to me!

Now, I recognise that there are good reasons to block some anonymising services. However for a logged-in WP account, particularly one which is autoconfirmed, been here for years etc., why is their use of a VPN as an invisible transport mechanism from them to WP (for reasons which quite honestly are just none of our business) any sort of problem? Andy Dingley (talk) 16:55, 8 March 2020 (UTC)

Yeah, this is definitely not the case, but an uncommonly held misbelief which really should be corrected. You won't find it written in policy. -- zzuuzz ^(talk) 17:41, 8 March 2020 (UTC)

This was an admin refusing an unblock request (presumably some sort of IP ban collision). User talk:Deku-shrub#Unblock @331dot: Andy Dingley (talk) 19:26, 8 March 2020 (UTC)

I have recently become aware that the requirements for IPBEs have been loosened from my initial understanding of them. I'm still working on this. 331dot (talk) 19:31, 8 March 2020 (UTC)

Can open proxies be used in a countries that blocked Wikipedia?

Is there's exception that open proxies can be used for any countries that blocked Wikipedia (e.g. China)? SpinnerLaserzthe2nd (talk) 18:01, 6 May 2022 (UTC)

See Wikipedia:Advice to users using Tor to bypass the Great Firewall. AKK700 07:03, 20 September 2022 (UTC)

Use TCPioneer to access the WP without changing the IP address. IntegerSequences (talk | contribs) 01:06, 22 December 2022 (UTC)

There is a discussion at Village Pump

There is a discussion of this policy at Wikipedia:Village pump (policy)#Allow registered editors to use vpn (open proxies). Your input is welcome! --Thinker78 (talk) 15:58, 11 January 2023 (UTC)

Should we add a page about Google One/Private Relay?

I know that Google One VPN is blocked. How about people using Private Relay from Apple- would that be considered an open proxy too? I think we might need to make a page about this as a lot of people might be using it and they may not be aware. 747pilot (talk) 19:57, 14 April 2023 (UTC)

Just weird

I know I'm about to bring out a lot of angry men shouting about sockpuppets, but it just seems bizarre to me that Wikipedia allows people to edit through random URLs without registration, but apparently can't find a way to allow registered editors with thousands of good edits to edit through a commercial VPN.Atrapalhado (talk) 13:38, 2 March 2024 (UTC)