h2v4c
commented
5 years ago I'd like to propose an option to require a verified phone number/2fa authentication as well, though I understand the complexity in running such a service.
Open calzoneman opened 6 years ago
h2v4c
commented
5 years ago I'd like to propose an option to require a verified phone number/2fa authentication as well, though I understand the complexity in running such a service.
calzoneman
commented
5 years ago I'm not keen on requiring phone verification. It's not necessarily about the technical complexity, but rather it would break two of my unwritten personal guidelines for CyTube:
To be honest, even giving channels the option of requiring email validation was something I avoided for a while just because I can imagine myself finding that personally annoying as a user, however, I acknowledge that not doing anything would be an unpopular stance, and email is fairly ubiquitous for authentication anyways (and is already provided as an option at registration, so doesn't introduce any new personally identifying information to the security model).
With all of that said, I do appreciate the suggestion and am open to other ideas. A while back, I added the new account delay as an option for channels to combat spammers. I have personally had great success with this wasting trolls' time (have fun waiting 30 minutes for your account to be allowed to chat and then get banned on the first message), however, many channels are reluctant to deploy this because of inconvenience to guest users -- unfortunately unless RFC 3514 gets implemented, it's quite difficult to distinguish between a legitimate new account and someone who just hopped IPs to evade a ban. Channels have also been able to block connections from Tor exit nodes for years.
VPNs are harder to tackle (and again would need to be per-channel as I don't want to ban legimitate VPN users from the entire site), but maybe there would be value in redoing the IP ban feature to ban CIDR ranges and ASNs instead of the hardcoded 2- or 3-octet prefixes (which are rather useless and an artifact of a naive implementation when I didn't understand networking as well). You wouldn't have seen it publicly, but I have actually attacked some ban evasion behind the scenes by doing a reverse lookup of VPN IPs to ASNs to announced prefixes and blocking those at the website level for specific channels having issues.
AssTractionHero
commented
5 years ago I'm not in favor of phone verification, lukewarm on email verification, but fully in support of finding some more obscure way of doing it, like ReCaptcha, but not ReCaptcha.
It would be nice to have some updated tools for the rare cases where it's a problem.
On Sun, Nov 18, 2018 at 4:13 PM Calvin Montgomery notifications@github.com wrote:
I'm not keen on requiring phone verification. It's not necessarily about the technical complexity, but rather it would break two of my unwritten personal guidelines for CyTube:
- CyTube should not do things that irritate me on other websites. I despise when websites ask me for personal information like my phone number.
- CyTube should minimize personal data collected about individuals.
To be honest, even giving channels the option of requiring email validation was something I avoided for a while just because I can imagine myself finding that personally annoying as a user, however, I acknowledge that not doing anything would be an unpopular stance, and email is fairly ubiquitous for authentication anyways (and is already provided as an option at registration, so doesn't introduce any new personally identifying information to the security model).
With all of that said, I do appreciate the suggestion and am open to other ideas. A while back, I added the new account delay as an option for channels to combat spammers. I have personally had great success with this wasting trolls' time (have fun waiting 30 minutes for your account to be allowed to chat and then get banned on the first message), however, many channels are reluctant to deploy this because of inconvenience to guest users -- unfortunately unless RFC 3514 https://www.ietf.org/rfc/rfc3514.txt gets implemented, it's quite difficult to distinguish between a legitimate new account and someone who just hopped IPs to evade a ban. Channels have also been able to block connections from Tor exit nodes for years.
VPNs are harder to tackle (and again would need to be per-channel as I don't want to ban legimitate VPN users from the entire site), but maybe there would be value in redoing the IP ban feature to ban CIDR ranges and ASNs instead of the hardcoded 2- or 3-octet prefixes (which are rather useless and an artifact of a naive implementation when I didn't understand networking as well). You wouldn't have seen it publicly, but I have actually attacked some ban evasion behind the scenes by doing a reverse lookup of VPN IPs to ASNs to announced prefixes and blocking those at the website level for specific channels having issues.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/calzoneman/sync/issues/781#issuecomment-439739101, or mute the thread https://github.com/notifications/unsubscribe-auth/AYvRkZya73sloUQIde1DmZ-TZ548BmNcks5uwfebgaJpZM4YUBdo .
-- 666Baphomet999 Ordained Priest of Dudeism at the Church of the Latter-Day Dude - dudeism.com http://dudeism.com https://cytu.be/r/The_Gates_of_Hell https://cytu.be/r/The_Gates_of_Hell Steam: w_ron_g Skype: w_ron_g
calzoneman
commented
5 years ago Whether or not captcha helps you at all depends on who you are trying to defend against. The purpose of a captcha is to defeat scripted attacks; in my experience most of the problematic users that end up making it to my attention are humans who actually have nothing better to do than manually hop VPNs and troll the same channel.
AssTractionHero
commented
5 years ago I am suddenly much more in favor of email verification. Although, it's still serving the same purpose as a bike lock: it's not going to prevent your bike from getting stolen, it's just going to slow down the thief.
calzoneman
commented
5 years ago Noting a couple requirements for email validation so I don't forget:
AssTractionHero
commented
5 years ago It would be convenient to have an additional level of trust, in the form of having a channel "whitelist", where trusted users can enter a channel (perhaps even one that's password-protected...?) without giving them a rank that would grant any additional privileges, as rank =>= 2 does now.
How difficult would it to be to implement that?
This could probably go along with the feature request for "favorite channels"?
calzoneman
commented
5 years ago You can open a separate issue for that. It's not so much an account level validation as a channel ACL.
On Mon, Dec 10, 2018, 02:27 Ronald van Devender <notifications@github.com wrote:
It would be convenient to have an additional level of trust, in the form of having a channel "whitelist", where trusted users can enter a channel (perhaps even one that's password-protected...?) without giving them a rank that would grant any additional privileges, as rank =>= 2 does now.
How difficult would it to be to implement that?
This could probably go along with the feature request for "favorite channels"?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/calzoneman/sync/issues/781#issuecomment-445765801, or mute the thread https://github.com/notifications/unsubscribe-auth/AAXiiE6fNhyA_glcbSd68lOYNLWHumPUks5u3jcSgaJpZM4YUBdo .
CyTube essentially only has 2 levels of trust:
In order to help targeted channels avoid spam, it may be useful to introduce more account validation features, including:
Some discussion around this topic began in #777