[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Wikipedia and Tor - a solution in the works?



On 10/29/05, Anthony DiPierro <or@xxxxxxxxx> wrote:
>  So now, we have "trusted user -> tor cloud -> authentication server ->
> wikipedia".  The Tor cloud between the authentication server and Wikipedia
> was difficult to implement and essentially useless, so we dropped it.
> Instead the authentication server connects directly to Wikipedia using a
> single IP address.  This could be implemented without too much work on the
> part of Wikipedia, they'd essentially only have to agree not to ban the IP
> address of the authentication server (at least not for a very long period of
> time), and to send information about any bad behavior to that server.  In
> theory you could even run it as a Tor hidden service, increasing the
> anonymity (especially since Wikipedia doesn't offer https).

I agree with this concept, but I think you are focusing too narrowly
on Wikipedia.  The general case is:

trusted user -> tor cloud -> authentication server -> whatever

The point is, as Jimmy Wales notes, what constitutes abuse is not that
different for Wikipedia than for other wikis, for blog spam, for email
spam, and for many other services on the net. An authentication server
that only allows trusted users through is a generally useful
capability.

I am working on software to provide this service. It is slow going due
to the complexity, but I will hopefully have something working in a
few weeks. Here is a brief description.

The authentication server can be thought of as a proxy which only
serves a set of "customers in good standing". Like a Tor exit server,
it applies its own policies to filter outbound connections to whatever
the server operator thinks is appropriate. However the main point of
the proxy server is to accept anonymous connections outbound from Tor
(or any similar anonymity service), to verify that they are associated
with good customers, and to pass them on. In this way, anonymous users
can still access sites that block Tor exit nodes and those of other
anonymity services.

Although connections through the authentication server are anonymous,
cryptography is used to associate each connection with a unique
identifier. If the authentication server gets a report back of bad
behavior by one of its customers, the identifier in use at the time of
the abuse can be put on a blacklist. More crypto allows each user to
prove that he is not on the blacklist, while still retaining his
anonymity. Keeping the multiple uses of the authentication server
unlinkable provides an important element of privacy. Otherwise the
authentication server could build up profiles about the places which
each nym likes to visit, and possibly correlate that with the use of
various pseudonyms on the net.

The result is that the authentication server is something like an
"anonymous ISP" in terms of having a set of customers that go through
the server, and being responsible for cancelling the accounts of
customers who misbehave. Because it is responsive to complaints from
services on the net, the authentication server should be able to avoid
being blocked and can maintain the ability for good customers to
continue to be first class users of the net even while being
anonymous.

The details are beyond the scope of this note, but the idea is similar
to the mechanism used by Jason Holt in his nym software. Users would
register for the service via some mechanism that makes it expensive.
Perhaps this involves using their real names and/or email addresses,
or maybe it could even cost money. On this basis they get what is
essentially a blind signature, although the technology is not based on
Chaum. They can then show this signature anonymously and unlinkably to
other showings (this is where it goes beyond Chaum). At the same time
they commit to their signed value and are able to prove that their
commitment is different from any of those on the blacklist.

Running the authentication server will take a certain amount of
commitment on the part of the operator. He must respond to complaints
fairly and expeditiously, and maintain the blacklist. He needs to set
his policies for exit connections, and for how to make it expensive to
create new accounts. It would nevertheless be a highly useful service
for anonymous users and would therefore increase the spread of
anonymity.

CP