Not planned Make harder for banned members to re-register with Evercookie

AlexandrosD

AlexandrosD

Active member
Evercookie creator said:
What is the point of evercookie? Evercookie is designed to make persistent data just that, persistent. Bystoring the same data in several locations that a client can access, if any of the data is ever lost (for example, by clearing cookies), the data can be recovered and then reset and reused.
Click to expand...
See more @ http://samy.pl/evercookie/

Anyone can easily change their IP address and delete their session cookies, something that allows banned members to easily re-register.
It'd be awesome if evercookie gets implemented somehow in xenforo. An add-on would also do nice I suppose. Test it by yourselves. You can even change your browser. It can still detect you :D
I have just suggested g0rn, the creator of Multiple Account Detection add-on, to use evercookie with his last add-on.
 
Upvote 11
This suggestion has been closed. Votes are no longer accepted.
Alfa1 said:
I wonder if it looks more positive for evercookie when tested on older browsers. From the above it looks like EverCookie is pretty useless. It will just increase the instances of banned member detection a bit.
Click to expand...
More or less the same. Outdated browsers won't support HTML5 Storage and the Canvas element, so EverCookie loses out on at least these 5 locations:

- HTML5 Canvas tag
- HTML5 Session Storage
- HTML5 Local Storage
- HTML5 Global Storage
- HTML5 Database Storage via SQLite

And no, neither the EverCookie script nor the cookies it creates in your system are malware. Most of the locations, individually, are perfectly valid for storing user data. Using these locations all at once to store the same data doesn't make it malware.

Getting rid of these cookies is not a big deal. If you have "Private" browsing enabled, you just have to restart the browser. And for a "Normal" browsing session, clearing your browser's cache + history and restarting it will remove all of the cookies created by evercookie except these two: LSO (Flash cookie) and Silverlight Storage.

Flash cookies can be removed (and disabled) via Adobe's web based settings panel. As for the Silverlight storage, I don't know since I haven't used it.

That said, I won't use it on any of my websites or forums, and I won't recommend it to anyone else either. Relying on such client-side storage to block or ban users is just futile. Trolls who really want to return to your website will do so and no amount of "cookies" will deter them. So why degrade your other users' browsing experience?
 
groundup said:
Tanax, once again, inflammatory remarks serve no purpose in a peaceful debate. You claim I, a person who helps develop forum software and has for the better part of a decade, doesn't know what they're talking about. Yet, you still don't understand the definition of malware or a person's right to not be tracked. You are looking at this idea in a very myopic world of a forum admin. You don't see the privacy issues that can come from something where a person has no choice on being tracked. There is nothing regular about this software. You're right, it creates several normal forms of tracking a person. Yet, it also goes much further in that it continually places these cookies even after you've requested to remove them and there are many of them where browsers have not created a way of telling a website not to place them on your computer.

If it is your right to use it, it is my right to remove it, correct? Well, how do you remove all of the tracking devices Evercookie uses? There should be information as to how to remove them. Otherwise, you're claiming your rights as an admin are more important than everyone of your users' individual rights. I can't stomach that.

Once again, you're the one that keeps saying evercookie's tracking "cookies" (which they aren't all even close to being cookies) are malware. I have stated numerous times that evercookie, the application or API, is malware. As you continually quote me, it shouldn't be hard for you to read what I've written before.

You're insulting and inflammatory remarks about how I don't know what I'm talking about are beginning to slightly aggravate me. At no point have I said anything about your person, merely the views that you have.

I think I am done with this. I am pretty sure no forum software will institute this natively with all of the privacy concerns involved.
Click to expand...

The cookies doesn't harm the user in any way except blocking them from accessing that particular website.
Tell me again how that is harmful...?

I have indeed quoted you several times and every time you just say that it is considered a malware and gives me a quote from wikipedia or alike about malware criterias. Like I've said before, if you define malware as a software that is infiltrating computers without the user consent, then FireFox, Internet Explorer and all other browsers are malware. They do not inform you every time they create a cookie on your computer.

And the comment about admin's rights being more important is exactly correct. For instance, it is the police's rights to detain me, right? Then it should be my right un-detain me. Otherwise you're claiming that the police's rights are more important than everyone in the country. Of course this is incorrect, the police HAVE the rights to detain me and I have no right to un-detain me(at least not without a trial - obviously it's a little bit different on the Internet). What I mean is, as an admin I have the rights to keep anyone from accessing my board. For whatever reason. Perhaps it can be considered bad to keep someone from accessing the board without a good reason but regardless of that, it is my right as the admin. If that means I need to place some additional cookies on the user's computer(that the user won't even notice!!!), then so be it.

Internet providers are more often now using dynamic IP's and there are proxy IP providers aswell. These things make it virtually impossible to ban someone from your site. EverCookie provides a means to go around this, at least make it a little bit harder. Personally I don't see ANY problems with that. And rest assured, no one will be able to press charges against you for placing cookies on their computers without their consent, otherwise a lot of websites would have gone under.
 
Shadab said:
And no, neither the EverCookie script nor the cookies it creates in your system are malware. Most of the locations, individually, are perfectly valid for storing user data. Using these locations all at once to store the same data doesn't make it malware.
Click to expand...

This. Finally. Perhaps this is a better constructed sentence to express what I'm trying to tell you groundup.
 
It would also be nice to see evercookie for banned members. So if a user is in the usergroup 'banned members' then give them a evercookie.
Evercookie includes html5 web storage, but also implements a variety of cookie methods which are pretty hard to delete.


evercookie is a javascript API available that produces
extremely persistent cookies in a browser. Its goal
is to identify a client even after they've removed standard
cookies, Flash cookies (Local Shared Objects or LSOs), and
others.

evercookie accomplishes this by storing the cookie data in
several types of storage mechanisms that are available on
the local browser. Additionally, if evercookie has found the
user has removed any of the types of cookies in question, it
recreates them using each mechanism available.

Specifically, when creating a new cookie, it uses the
following storage mechanisms when available:
- Standard HTTP Cookies
- Local Shared Objects (Flash Cookies)
- Silverlight Isolated Storage
- Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
- Storing cookies in Web History
- Storing cookies in HTTP ETags
- Storing cookies in Web cache
- window.name caching
- Internet Explorer userData storage
- HTML5 Session Storage
- HTML5 Local Storage
- HTML5 Global Storage
- HTML5 Database Storage via SQLite

TODO: adding support for:
- Caching in HTTP Authentication
- Using Java to produce a unique key based off of NIC info

Got a crazy idea to improve this? Email me!
Click to expand...
http://samy.pl/evercookie/
 
If this were implemented you need to inform people that if they sign up to your site, they agree that you bloat their browser with special cookies if they get banned. Also, for your already registered users, you need to email them and inform them of the change and whether they agree with it. Give them a deadline to think about it and if they don't agree they can request a deletion of their account.
 
This is already the case for the cookies, Xenforo work with.
This law is so stupid elsewhere...
 
It's bad enough trying to get things to where you aren't being tracked all over creation. We already know that "do not track" is virtually ignored by many websites. Adding evercookies would create a bit of an uproar in many communities.

The addition of evercookies would be a huge turn off for my users, and I'd imagine, many others who visit XF sites. I would hope that if this is seriously considered for inclusion into the software, that the option is given to admins as to whether they want to implement this type of cookie or not. Because personally, I would never knowingly implement this on my site.
 
Biker said:
It's bad enough trying to get things to where you aren't being tracked all over creation. We already know that "do not track" is virtually ignored by many websites. Adding evercookies would create a bit of an uproar in many communities.

The addition of evercookies would be a huge turn off for my users, and I'd imagine, many others who visit XF sites. I would hope that if this is seriously considered for inclusion into the software, that the option is given to admins as to whether they want to implement this type of cookie or not. Because personally, I would never knowingly implement this on my site.
Click to expand...

Agree. I would never implement this either. It would be enough to push me away from software that does use it.
 
Tu peut décourager sont IP le seul choix qu'il aura sera d'utilisé un VPS ou autre du style,
et tu peut aussi installer l'addons contre les proxy ainsi il sera bloquer
 
No ani Ancuetas said:
Tu peut décourager sont IP le seul choix qu'il aura sera d'utilisé un VPS ou autre du style,
et tu peut aussi installer l'addons contre les proxy ainsi il sera bloquer
Click to expand...

Le problème c'est qu'il change d'ip toutes les 2 heures, c'est un membre qui était très actif et que l'on à ban car il insultez des personnes de manière soudaine et impulsif sur la shootbox même après x avertissements, il ne semble pas décidé de partir au contraire et semble vouloir nous déranger...
 
Enfaîte l'addons contre les proxy permet justement de le lui bloquer l'accès a ton site avec un message lui disant qu'il utilise un VPS.
Il ne pourra plus te nuire ...
 
Et sa marche même s'il change d'ip en redémarrant ça box ?
Sinon c'est quoi le nom de l'addon stp, j'ai été largué au milieu de la discussion au niveau de l'anglais ^^
 
Ok merci, c'est installé et après avoir regardé les ip, je remarque qu'elles proviennent d'endroits différent, il passe donc probablement via un proxy comme tu l'a suggéré :)
 
Back
Top Bottom