Wikipedia talk:Open proxies

From Wikipedia, the free encyclopedia
Jump to: navigation, search

A confused editor gives a technical perspective on the policy of hardblocking open proxies[edit]

I've been reading, trying to figure out where the broad consensus that hardblocking, rather than softblocking, anonymous proxies is necessary comes from. I'm a computer scientist, and it deeply offends my sensibilities that Wikipedia, a Layer 7 application, makes decisions about me based on my choice of Layer 3 address. I can appreciate the cleverness of using IP addresses as credentials for anonymous users, and understand the need for IP blocks to fight anonymous vandals, but if a user has an account, they're just as easy to block no matter what IP they're logging in from.

The lone exception I've been able to find is in WP:ABK. This is an interesting and, once again, technically clever system, but it's clearly a hack; it relies on certain aspects of the Internet Protocol that are usually true but not guaranteed. The advent of mobile computing has forced me as a computer scientist to start dealing with situations where a user's session is not tied to a single IP at all, but could roam between multiple IPs, which is not a trivial issue to deal with (especially over UDP or other unreliable transport: barrels of ink have been spilled over handling this problem in VPN protocols). I typically carry a second IP in my pocket (my iPhone's LTE is as fast as my cable, albeit more expensive), and I can obtain a new one from my cable company at will by tweaking my router's MAC address. IPv6 has already been officially turned on, and it typically hands out thousands or millions of IP addresses to every customer; IPv6-only clients can connect to IPv4 servers using 6to4 or Teredo gateways, which mask their "real" IP just as effectively as anonymous proxies do; since they aren't actually HTTP proxies, though, don't expect the X-Forwarded-For header to solve all your problems!

In short, blocking anything that breaks Autoblock is short-sighted and misguided. Wikipedia is one of the pioneers of the internet community, and it has a responsibility to encourage new and innovative uses of technology, not hinder them because they require more effort to control.

It seems to me that the IPEXEMPT flag would strike a good balance between automatic sockpuppet prevention and ease-of-use, but current policy is that this flag is given only in "exceptional circumstances," requires trusting an editor with an "admin tool," and that it can be revoked preemptively. I don't understand how this flag could be treated as such a sensitive tool. A minimal level of human (admin) verification needed to assign this flag to an account, on par with the scrutiny for receiving rollback, would effectively prevent the creation of sockpuppet armies, and prevent the use of stolen accounts (which would probably not have applied for the IPEXEMPT flag). (If more assurance that an account would not be stolen in the future were needed, it would be simple to require a prospective IPEXEMPT editor to have a committed identity.)

I'm interested in the community's thoughts on this subject. It's my hope that I can provide a valuable technical viewpoint to the consensus-building process.

MrNerdHair (talk) 07:24, 1 March 2013 (UTC)

Eight years and no solution[edit]

Can someone explain to me why nobody has found a way to let long-standing logged-in editors use proxies and VPNs. I've read through both pages of comments and nobody seems to want to fix this. Also MrNerdHair's valid comments above haven't been so much as answered. 阝工巳几千凹父工氐 (talk) 03:15, 21 July 2013 (UTC)

VPN's usually aren't blocked unless they offer a free trial. This page seems to have few watchers... Sailsbystars (talk) 01:07, 4 April 2014 (UTC)

Proactive proxy hunting[edit]

Is there any reason why we can't get subscriptions to paid open proxy servers in an effort to identify exactly which IPs are available so that we can block them? GabeMc (talk|contribs) 17:15, 26 May 2014 (UTC)

I believe something like that is how ProcseeBot (talk · contribs) operates, but it only catches one type of proxy that it can immediately and automatically verify.... web proxies, OTOH suffer from an inverse problem in that it's hard to establish with certainty that it is a proxy. Sailsbystars (talk) 21:08, 26 May 2014 (UTC)

This is now the official policy on open proxies[edit]

I just rearranged some articles to say that this page is the official policy on open proxies. I trust this is not controversial. I did not actually change content here.

I did this because Wikipedia:Blocking_IP_addresses#Open_proxies, a "consensus page" which is weaker than those tagged as Wikipedia:Policies and guidelines, says to go here for more information. This page previously said that for more information, one should go to Wikipedia:Blocking_policy#Open_or_anonymous_proxies, which is a policy page just like this one. That page said to come here for details, but since all of the information on the topic is here, it should note that this is the main page. Wikipedia policy pages should be set up so that one page claims to be the main policy, and other pages refer to that page as the main policy. This is how I rearranged things. The "blocking" page is about blocking generally, and is not really about open proxies, and the IP address page is about something else too. This is the most relevant page, so I made the other pages refer to this one when talking about open proxies.

The changes that I made are to say that conversations about open proxies, for blocking or otherwise, should go here in this talk forum, and that this is the page where people read policy on open proxies and not elsewhere. Blue Rasberry (talk) 01:18, 17 December 2014 (UTC)

Why Wikimedia, Inc. should not care about IPv4 addresses[edit]

I would like to suggest that IPv4 addresses are no longer a good way to identify users. Most ISPs assign a new IPv4 address periodically (usually, every disconnection from the ISP introduces a new IPv4 address and many ISPs assign a new address at least once every 72 hours, the DHCP default). Because ISPs are no longer allocated sufficient IPv4 addresses to assign a separate address to each connected device, ISPs have begun to use port reassignment (the same as VPNs and Proxies). With port reassignment, users connect to the ISP via an intranet IPv4 address (which can appear to be an ordinary IPv4 address) and the ISP connects the user to the internet via a range of source ports on an internet IPv4 address. Thousands of user devices can use the same IPv4 address. IPv4 addresses are still useful for identification of the company that connects a user or device to the internet.

US law was changed earlier this year to allow ISPs to sell user information and trace logs, without notice to users. This includes source and destination IP addresses for every connection and (when available) the Latitude and Longitude from which the user is making the connection. This applies even to HTTPS connections. This has caused many of us to turn to VPNs for all internet use.

For both security and privacy reasons, most US internet users and all mobile connection users (any type of radio connection) should be connected via an encrypted connection to the internet. Radio connections are easily hackable, so an ISP or intermediary that accepts encrypted routing (IP packet) headers is necessary. Encrypted connection to one's ISP or mobile telephone provider is rarely available.

Requiring HTTPS connections, login IDs, and passwords, and the use of email to confirm each login ID is much more reliable. HTTP connections allow easy packet insertion hacks. If you require an email confirmation for connections that are from a provider the user has not used before, that provides some additional identity assurance beyond the password, if the user's connection to the provider is encrypted. But a provider that accepts unencrypted communication from users (like most ISPs) is not reliable assistance in identifying users. Drbits (talk) 01:04, 9 November 2017 (UTC)

Why requiring VPN disconnection is a problem[edit]

For security reasons, disconnecting from a VPN often also disables internet connection from most programs. This is not just inconvenient, but it also temporarily blocks antivirus updates, file synchronization, and other security measures.

More sophisticated computer users can greatly improve system security by only leaving the VPN port open in the firewall. Drbits (talk) 01:19, 9 November 2017 (UTC)