User:Lunkwill/nym

This page is too crowded: Wikipedia:Village pump (proposals)#Privacy protecting authentication via nym. Moving discussion of the proposal to: User talk:Lunkwill/nym. Also creating a voting section at the bottom of this page. Lunkwill 00:40, 2 December 2005 (UTC)

Executive summary

 * I've built a software package called nym which could be used to allow users of anonymizing networks and shared-IP networks like schools to edit Wikipedia. Privacy would be preserved, yet admins would still be able to block IPs of vandals.


 * The software includes patches to WikiMedia, which I have submitted to MediaWiki's patch-review system.


 * Wikipedia needs to decide whether to accept my proposal and patches. The patches are small and easy to implement; mainly it's a question of whether we're willing to try it out.

I don't think we should accept your proposal thanks all the same, dear chap. I like wikipedia the way it is and I think we all do actually. Wikipedia is great.

Overview
Recently there was a lot of discussion on the tor email list about ways in which tor users could contribute to wikipedia articles. For a while now, all the tor exit nodes have been blocked from editing due to vandals using tor to disguise their actual IP addresses.

(But note that there are also benefits for other users of shared-IP services such as school proxies; see below)

It was proposed that cryptographic techniques could be used to ensure that vandals can be blocked, while still allowing helpful users to edit. I implemented such a system and called it nym. It enforces Wikipedia's current mechanism of filtering incoming users by IP address, but allows users to still enjoy privacy via tor.

How it works
To use nym, user Alice would do the following:
 * Turn off Tor (so that her real IP is visible)
 * Visit a web page with their Javascript-enabled browsers. The browser does some math, then contacts a token server to obtain a data token in "exchange" for her IP address. (tor exit nodes and currently-blocked IPs would be refused tokens). Such a token can only be obtained once per IP address (or optionally, once per address per time period).
 * Clicking a few buttons and doing a little cut-and-paste, she trades the token for an SSL client certificate which she loads into her browser. The certificate certifies that she received it in exchange for a real IP address, but doesn't reveal what that address is.
 * She turns tor on again, and connects to a service such as Wikipedia. The service uses her certificate ID as a pseudonym instead of the IP address of the tor exit node she used to connect to Wikipedia. This ID shows up anywhere the IP address of a non-nym user would have shown up.
 * If she misbehaves, admins block her certificate just as they would have blocked her real IP. Now she faces the same challenge as other vandals, since she must obtain a new IP address and redo the whole issuing process in order to circumvent the block.

There is a live test system for nym, including a MediaWiki installation. You can try this process yourself from this page: nym client.

Other benefits
Say Alice goes to a school which uses a single proxy, and has never heard of tor. Her classmate Bob is a vandal and gets the school blocked regularly. Alice can go home, obtain an SSL certificate from her home computer's IP, then load the certificate on her computer at school using her keychain drive. If it's a shared terminal, she simply removes the certificate at the end of her session.

Potential problems
Most of the ways nym can be abused are no different from the challenges Wikipedia already handles on a daily basis. A vandal with access to many IP addresses can use nym to obtain many certificates, all of which would need to be blocked. But this is already the case with Wikipedia.

Nym has the disadvantage that it hides the originating IP, making it more difficult to identify the source of vandalism, although a vandal using a set of IPs to obtain certificates in succession would still end up with certificates with adjacent serial numbers (which could then be blocked as a group). On the other hand, at least for the Javascript client I've described, obtaining each certificate takes several minutes, whereas traditional Wikipedia vandals can make new edits as quickly as they can switch IP addresses.

The issue to decide
Ultimately, Wikipedia must decide whether to support nym. The technical requirements are quite reasonable; mainly, we must decide whether the potential hassles are worth the ability to offer privacy to our editors.

Disadvantages:


 * New systems always have bugs, costing techie and user time.
 * Determined vandals will have another avenue for attack.
 * Much lessened anonymity - instead of mixing with all Tor users, you only mix with Tor users who have Wikipedia accounts and use nym.
 * Allows vandals to "store up" IP addresses over a long period of time and then use them all at once.
 * Doesn't work well for users with dynamic IP addresses - if someone ever got a token using the IP address you're using, you can't get one.
 * Users who run tor exit nodes themselves can't get a token.

Advantages:


 * Even if nym fails horribly (say someone finds a bug which allows certificates to be forged in seconds, or vandals are the only people who end up using nym), switching off nym support entirely will be quite trivial, leaving us right back in the situation we're in now. And if we later decide to support nym, it will be easy to start over and make all the nym users obtain new certificates.


 * Some tor users will be grateful.


 * Wikipedia provides a perfect low-risk testbed for privacy/pseudonymity systems like nym. Our experiences will be of value to security researchers.


 * Regardless of tor, users behind single-IP proxies can be distinguished, allowing just the vandals to be blocked.


 * As nym demonstrates its privacy protecting claims over time, users facing oppressive laws may be willing to contribute information they would otherwise be afraid to reveal. (Particularly of interest to Wikinews).

Source code and documentation for nym, along with the preprint of an academic paper describing nym, can be found at the nym site.

Votes

 * For. (But then, I'm a little biased.) Lunkwill 00:40, 2 December 2005 (UTC)


 * For. It can always be reverted later. Derfy 20:50, 2 December 2005 (UTC)


 * For. It will help security researchers


 * For. But it needs more supporting software (e.g., Firefox plugin) to be more transparent to the end user. Mike Halcrow 20:40, 2 December 2005 (CST)


 * For. Maybe need to make it a little easier for end-users --Mosesofmason 08:16, 4 December 2005 (UTC)


 * For. I'd like to use it. --Commonchaos 17:59, 6 December 2005 (UTC)


 * For. I am a Tor user and a wikipedia non-abuser. Sandos 22:20, 21 December 2005 (UTC)


 * For. I am also a Tor user (newly so, struggling with it, and now with wikipedia too).  I toggled Tor off briefly to make this post, against my better judgement.  --Duff 21:42, 13 July 2007 (UTC)


 * For. Sounds great.  Why not give it a try? --Coppertwig (talk) 01:19, 1 February 2008 (UTC)
 * For. Sounds good and there is no lasting harm if it fails, so what is there to lose?