discuitnet / discuit

A free and open-source community discussion platform.
https://discuit.net
GNU Affero General Public License v3.0
425 stars 51 forks source link

[Discussion] Browser Fingerprinting #51

Open reallytiredofclowns opened 8 months ago

reallytiredofclowns commented 8 months ago

Does anyone have any expertise with fingerprinting? Related to the suggestion with IP banning, I know Reddit does implement some sort of procedure to help detect ban evasion. This might help with the recurring !@#$-disturber on Discuit.

Here is an overview article of fingerprinting that I found fairly comprehensible, as someone completely new to the idea.

Codycody31 commented 8 months ago

This could be possible. Though I believe it would case of once we block a user the fingerprint is added to a list that is blocked. A main issue with implementing this though would be privacy as we would need to store the fingerprint anyways to tie it back to a specific user/person.

Something like this maybe (just a same demo idea)

// getIP extracts the IP address of the client from the request
func getIP(r *http.Request) string {
    // Standard proxy forwarding header
    forwarded := r.Header.Get("X-Forwarded-For")
    if forwarded != "" {
        return strings.Split(forwarded, ",")[0] // return the first IP if multiple are present
    }
    return strings.Split(r.RemoteAddr, ":")[0] // fallback to direct connection IP
}

// browserFingerprint generates a unique identifier for a user based on their browser details
func browserFingerprint(r *http.Request) string {
    userAgent := r.UserAgent()
    acceptLang := r.Header.Get("Accept-Language")
    encoding := r.Header.Get("Accept-Encoding")
    ip := getIP(r)

    // Combine the collected details to form a unique identifier
    rawIdentifier := fmt.Sprintf("%s|%s|%s|%s", userAgent, acceptLang, encoding, ip)

    // Hash the combined string using SHA-256 for a consistent, anonymized identifier
    hasher := sha256.New()
    hasher.Write([]byte(rawIdentifier))
    hashedIdentifier := hex.EncodeToString(hasher.Sum(nil))

    return hashedIdentifier
}
reallytiredofclowns commented 8 months ago

I don't think having the IP address as a part of the hash is helpful in this particular case, as the user in question is apparently hopping IPs like crazy. But the general idea is interesting.

Codycody31 commented 8 months ago

Ah, then that tends to make it harder. Either way, they could just spoof a new browser which is pretty easy