From: Anthony DiPierro <or@xxxxxxxxx>
Reply-To: or-talk@xxxxxxxxxxxxx
To: or-talk@xxxxxxxxxxxxx
Subject: Wikipedia and Tor - a solution in the works?
Date: Sat, 29 Oct 2005 14:42:36 -0400
Jimmy Wales proposed what he described as a "simple solution to the problem
of Tor users being unable to edit Wikipedia." Here it is:
"trusted user -> tor cloud -> authentication server -> trusted tor cloud ->
wikipedia"
"untrusted user -> tor cloud -> authentication server -> untrusted tor
cloud
-> no wikipedia"
David Benfell responded "So they want us to do their authentication for
them. Wrong answer." I think this points out exactly the problem with Mr.
Wales' proposal, but it's perhaps not clear to everyone why.
First, let me try to understand exactly what it is Mr. Wales is proposing.
Someone, presumably someone not affiliated directly with Wikipedia, is
supposed to run an "authentication server". Presumably this authentication
server will establish pseudonymous accounts with some mechanism for
authentication (for simplicity let's say username/password). Some mechanism
will be used to tie edits made to Wikipedia to the account username, and
upon complaints coming from Wikipedia that account will be disabled. Now,
since the authentication server must not know the true identity of the
trusted user (since that would completely destroy the anonymity), there
needs to be a way for an untrusted user to become a trusted user. But to
limit abuse where a single person creates many accounts, some mechanism
must
be implemented at the authentication server to throttle the creation of new
pseudonymous accounts.
Let me now explain why the "trusted tor cloud" would be very difficult to
implement, as well as why it is essentially useless. The difference between
a "trusted user" and an "untrusted user" is specific to the application.
What Wikipedia considers bad behavior does not coincide with what someone
else might consider bad behavior. While there might be some actions which
are fairly universally accepted as bad behavior, it is likely that
Wikipedia
will not accept merely limiting these behaviors. What I'm saying in
essense,
is that the "authentication server" would have to be geared specifically to
Wikipedia. For this reason, the trusted tor cloud would likely be very
small, and it would be quite simple to determine the location of the
authentication server. So you might as well remove the "trusted tor cloud"
completely, and simply have the authentication server connect directly to
Wikipedia.
So now, we have "trusted user -> tor cloud -> authentication server ->
wikipedia". The Tor cloud between the authentication server and Wikipedia
was difficult to implement and essentially useless, so we dropped it.
Instead the authentication server connects directly to Wikipedia using a
single IP address. This could be implemented without too much work on the
part of Wikipedia, they'd essentially only have to agree not to ban the IP
address of the authentication server (at least not for a very long period
of
time), and to send information about any bad behavior to that server. In
theory you could even run it as a Tor hidden service, increasing the
anonymity (especially since Wikipedia doesn't offer https).
If Wikipedia would agree to this, it wouldn't be too hard to set up. But it
would make the most sense for Wikipedia to run the authentication server
itself! Wikipedia already has pseudonymous accounts set up, after all.
To be clear, for those who aren't familiar with the way Wikipedia
implements
blocking, users, even users that have established accounts on Wikipedia for
years, cannot edit Wikipedia if the IP address they are using is blocked
(even admins are blocked from editing, though they are able to remove the
IP
block). There is a proposal on Wikipedia to correct this, at
http://en.wikipedia.org/wiki/Wikipedia:Blocking_policy_proposal . Almost
everyone supports it, the only real question is what mechanism to use to
throttle/limit the creation of new accounts. It seems to me that this is a
good implementation of "trusted user -> tor cloud -> authentication server
-> wikipedia", where the authentication server is run by Wikipedia itself.
What would be a good additional feature would be for Wikipedia to offer a
Tor hidden service to use to connect to Wikipedia. This is especially true
since Wikipedia passwords are passed in plaintext over http and thus could
be snooped by an exit node.