XF 2.0 Protect Xenforo, seriously

[V3NTUS]

Let's face it: sooner or later your community will grow enough that you'll start thinking about improving your security for many reasons, and you'll come up with looking for a way to protect your forum from double accounts who usually end up with being threats for your users.

What's the root of it? The registration, probably.

Altough Xenforo does already provide a good way to detect double-accounts, it's not accurate at all, especially nowadays where over 40% of the internet users declared to be using a VPN to protect their identity. The downside of it is that, obviously, IP addresses are no more a good way to identify a person, as there could be thousand if not million people under the same IP address.

So what to do? I think it's time to look for alternative and improved ways to spot and immediately reject double accounts.

I've made a quick google search, and I ended up here: https://superuser.com/questions/1036422/how-can-a-website-recognise-a-multiple-account-usage

They're discussing about potential ways to detect multiple accounts usage.

The point is, could Xenforo developers be able to finally provide a definitive way to protect our forums for this plague?

It looks like there are countless ways to prevent it, and altough none of them might be 100% accurate, I feel it's worth to try, so why don't you add a Browser Fingerprint detection, Evercookie detection or all the other countless ways I'm sure are available to accomplish this?

I personally think it's a very important topic, as it's the root of serious issues such as spam attacks coming from the same machine, or banned users circumventing bans/discouragements simply by rebooting their routers. It's 2018 (nearly 2019) and we're still far from beating spammers or threats in general, I guess it's time to start getting smarter.

Thanks for reading.

 

[DragonByte Tech]

While I agree with your post, I do feel like I have to point out one thing:

why don't you add a Browser Fingerprint detection, Evercookie detection or all the other countless ways I'm sure are available to accomplish this?

Specifically for the two things you mentioned by name, there are privacy concerns when dealing with those measurements. Furthermore, in the next version of macOS, it will be impossible to accurately fingerprint Safari users because Safari will not return accurate data for the data points fingerprints use. For instance, the list of fonts will be made more generic, and it will no longer be possible to obtain the full list of installed plugins.

If these privacy features receive universal acclaim, it would not be far-fetched to assume that other browsers will follow suit. Especially Firefox, which is (as far as I know) more privacy-focused than Google Chrome is (not counting Chromium forks).

Therefore, I think the XF devs would loathe to add multi-account detection features that rely on beaches of user privacy and/or would necessitate admins updating their privacy policies.

I'm honestly not sure whether it would be possible to reliably detect multiple accounts without measures that could be seen as an invasion of privacy. IP addresses are different, as they are a necessary part of the web, but I think there's a general understanding in terms of privacy laws and regulations that if a user declines cookies and/or clears cookies from the browser, the cookies should be dead and gone.

I would be interested in hearing @Kirby weigh in on this


Fillip

 

[V3NTUS]

Thanks for your reply Fillip, I appreciate it

What do you think of this approach? We don't initially track these info for all registered users, but instead add this detection only to users we previously banned/discouraged?

I know, this is like circumventing law and it's probably not the best approach, but more generically speaking, I think there should be a limit to what Privacy is meant for. If we only aim at protecting our community (hence, users), I think it's a good cause to do it.

For example, altough Xenforo initially doesn't give Admins I direct way to read others' private conversations (and I fully agree with it, I respect the privacy of everyone), I found it right for me to go to my database and search all the private conversations of some users I banned after finding out they were sending spam messages via private conversation to my users. And to find out it was happening, I had some friends report to me they received such messages, but in this case I found it to be legitimate to dig more in depth.

Again, thank you for your feedback about this matter, it means a lot to me to hear from someone else, and I'm glad to see I'm not the only one worried about these problems.

 

[DragonByte Tech]

I forgot to actually add a conclusion to my previous post

I think that because of the possibility of privacy concerns, especially in the wake of the GDPR, it would be unsurprising if the XF devs decided this was something that should best be left up to 3rd party developers to add as a feature to multi-account detection mods.

If someone enables a feature in XF2, and they ignore the warnings of "if you turn this on, you need to make sure you disclose this in your Privacy Policy", then it would be theoretically possible for XenForo Ltd. to be named as part of proceedings if for some reason a case involving this went to court. Even if no penalties occur, even if the court found the warning to be sufficient, it would still be grief (and cost) that I'm sure they do not need.

However, if someone installs a third party mod, and then also enables this feature, then XenForo Ltd. would be in the clear because they didn't facilitate the breach of privacy by any reasonable definition. The admin would clearly be in violation because they are the one who explicitly acquired a tool to commit the breach, they explicitly installed the tool, etc.

You may be thinking that worrying about legal proceedings is an ultra-super-duper-worst-case scenario and you would be right. Part of our jobs as programmers is figuring out all the ways the features we add can be misused and then weigh it against the potential benefits of adding said features.

Maybe I'm being overly cautious and overly paranoid, I'm not a legal expert by any means so maybe there's no chance of XenForo Ltd. being named even if a suit did occur and the feature was added to the core. Could be something to think about, though.


Fillip

 

[S Thomas]

So what to do? I think it's time to look for alternative and improved ways to spot and immediately reject double accounts.

(and also @DragonByte Tech) It's pretty much something a lot of sites do: They use local storage types. This way, for example, Stackoverflow can log you in even when you have cleared your regular cookies (see https://meta.stackexchange.com/ques...ow-automatically-login-after-resetting-safari).
From the privacy point of view, it's not a cookie And it can't be considered personal information either because it can be just about anything without actually belonging to a real person.

 

[Alpha1]

While there is a lot of fuss about privacy because of the hefty fee, keeping your site free from abuse, hate speech, fake news, trolls is actually far more important legally. It is also fairly likely that hefty fines for abuse are one of the next tricks up the EU's sleeves. Germany already has a ban on it that imposes millions in fines. Facebook just this week tried to push back in a disastrous way.



I don't see it ending well. Regulation is likely.
Please read my related suggestion about tools to counter hate speech:
https://xenforo.com/community/threa...port-and-moderate-illegal-hate-speech.127828/

Without adequate multiple account detection it is very hard to protect from abuse. My guess is that tools to address abuse will become mandatory and that we will see something like the GDPR hysteria situation happening in the coming years.

 

[Kirby]

I would be interested in hearing @Kirby weigh in on this

I am not going to comment on technical issues, as those have already been explained pretty well.

Although our community managers really hated this, we've removed all multi-account detection features on our forums several years ago as our lawyers considered them unlawful under § 15 (3) TMG

It's a major PITA, but unfortunately there seems to be no way to do smth. like this in a legally allowed way.

If someone enables a feature in XF2, and they ignore the warnings of "if you turn this on, you need to make sure you disclose this in your Privacy Policy", then it would be theoretically possible for XenForo Ltd. to be named as part of proceedings if for some reason a case involving this went to court. Even if no penalties occur, even if the court found the warning to be sufficient, it would still be grief (and cost) that I'm sure they do not need.

That is already the case for many features that need either full disclosure (Analytics, Connected Accounts, Anti-Spam Services), must never be tured on (Gravatar) or are pretty problematic if used (Embedded 3rd Party Content, Image-Proxy).