Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disallow impersonation or certify authenticity of posters #105

Open
schveiguy opened this issue May 23, 2018 · 3 comments
Open

Disallow impersonation or certify authenticity of posters #105

schveiguy opened this issue May 23, 2018 · 3 comments

Comments

@schveiguy
Copy link

Recently, an individual posted a few messages pretending to be both famous people, and people who regularly post on the forums (including myself). The famous people, I don't think there's much we can do about it. But it shouldn't really be easy to anonymously post with the name of someone else who is a known poster on the forums. Given that there's not really any other obvious identifying information (other than a gravatar if you have set one), it really looks like that original person has posted.

We may come across people with the same name, and I would handle that by not allowing posting without establishing an actual account/password.

Those of us who do have accounts should be able to "reserve" our names to prevent them from being impersonated.

Of course, you can't prevent newsgroup postings anonymously, but most trolls aren't willing to put in that effort.
@CyberShadow
Copy link
Owner

Not sure how feasible this would be to implement, considering...

  • People can post via email or NNTP. Some people use email/NNTP and the forum web interface interchangeably.
  • Requiring people to sign up for an account would create a barrier for new users.
  • Currently, there are no password recovery options because accounts don't have much intrinsic value, so that would need to be fixed first before additional meaning is given to forum accounts.
  • It is trivial to circumvent "reserved" names by using slightly modified names (e.g. Vladimir Pantaleev), substituting look-alike characters from other alphabets (e.g. a vs. а), insert zero-width whitespace or Unicode combining character, etc.

One idea I had was to implement GPG signing and verification of messages. In the web UI, it could be done either by letting the user specify their own key which is kept strictly client-side (with the signing done in JS), or by letting the server have its own secret keypair. Then, posts by verified users could have a green checkmark by their name or something like that, similar to GitHub commits. Still, that only helps with some of the above points, and wouldn't stop someone from creating a keypair tied to a similarly-looking name.

@schveiguy
Copy link
Author

People can post via email or NNTP. Some people use email/NNTP and the forum web interface interchangeably.

This would only affect the forums. Not much we can do about mailing lists or NTTP, but my guess is that trolls normally will not use those interfaces.

Requiring people to sign up for an account would create a barrier for new users.

You wouldn't be required, but don't get a name reservation unless you do.

t is trivial to circumvent "reserved" names by using slightly modified names

Yes, I know. But this is still a distinction that isn't otherwise present when you copy the name exactly.

substituting look-alike characters from other alphabets

That's more difficult to prevent. I suppose one could build a list of such characters and "normalize" the names before checking. But it's really not something I think is all too common on our little corner of the Internet. Maybe it's too much to try and prevent such things.

insert zero-width whitespace or Unicode combining character, etc.

Just remove all whitespace/capitalization when doing the comparison.

One idea I had was to implement GPG signing

Would that be usable via the NNTP or mailing list interface?

@CyberShadow
Copy link
Owner

Would that be usable via the NNTP or mailing list interface?

Yes, if interoperability wasn't a concern, there would be much simpler ways.

In any case, it would still take a bit of work.

@schveiguy schveiguy changed the title Disallow impersonation Disallow impersonation or certify authenticity of posters May 23, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@CyberShadow @schveiguy