How to reliably identify users across Internet?
Asked Answered
F

4

7

I know this is a big one. In fact, it may be used for some SO community wiki.

Anyways, I am running a website that DOES NOT use explicit authentication of users. It's public as in open to everybody. However, due to the nature of the service, some users need to be locked out due to misbehavior.

I am currently blocking IP addresses, but I am aware of the supposed fact that many people purposefully reset their DHCP client cache to have their ISP assign them new addresses. Is that a fact? I think it certainly is a lucrative possibility for some people who want to circumvent being denied access. So IPs turn out to be a suboptimal way of dealing with this. But there is nothing else, is it?

MAC addresses don't survive on WAN (change from hop to hop?), and even if they did - these can also be spoofed, although I think less easily than IP renewal.

Cookies and even Flash cookies are out of the question, because there are tons of "tutorials" how to wipe these, and those intent on wreaking havoc on Internet are well aware and well equipped against such rudimentary measures I would employ.

Is there anything else to lean on? I was thinking heuristical profiling - collecting available data from client-side and forming some key with it, but have not gone as far as to implementing it - is it an option?

Flinn answered 28/4, 2010 at 13:45 Comment(4)
If you can figure this one out, patent it - you'll be rich :)Previdi
yes, many ISP's will reissue an IP simply by power cycling their modemSpartan
What are these users doing? Are they doing a read-only DoS, or are they writing content? If the former there's not much you can do. If the latter, then authentication is the way to go.Preparator
They are writing content. But at this point authentication is out of question - we don't have that many users so that we loose more of these by forcing them to register. OpenID is out of the question, since there is a chance of a accepting users coming from bogus OpenID provider. I am still thinking of profiling as identification...Flinn
A
1

You are not going to be able to completely block a user who is determined to access your site. You can, however, make it difficult enough for them that it isn't worth their time.

Alisha answered 28/4, 2010 at 13:48 Comment(0)
D
2

Due to the nature of the internet, this isn't practically possible. Yes, you can block specfic IPs, but as you've said, it's easy enough for the average "misbehaver" to simply change their IP. Even MAC addresses can be spoofed. This is why sites with these problems use authentication. It's the only real solution.

Denticulation answered 28/4, 2010 at 13:49 Comment(0)
A
1

You are not going to be able to completely block a user who is determined to access your site. You can, however, make it difficult enough for them that it isn't worth their time.

Alisha answered 28/4, 2010 at 13:48 Comment(0)
A
1

As others have said, this is an impossible problem. Anyone determined enough can always find another way in. The canonical example of this problem is with Wikipedia, and you can read about the various blocking steps they take here: http://en.wikipedia.org/wiki/Blocking_policy

Aranda answered 28/4, 2010 at 13:52 Comment(0)
A
1

The simple answer is that this is impossible. As others (including yourself) have already said, anyone determined will find another way.

You can block IPs or use cookies, to deter the casual troublemaker. Someone who just wants to post rude words in blog comments will probably go elsewhere, but it won't scare off someone who wants to cause trouble on your site specifically,

If this misbehaviour is a serious problem for you, then I think your only recourse is to require authentication for any kind of access that could be subject to such abuse.

You can minimise the annoyance to your users by using OAuth, and accepting many different providers, much as SO does, rather than forcing all your users to sign up and memorise yet another set of login credentials.

Averroes answered 28/4, 2010 at 14:0 Comment(2)
Thank you for the answer. I think OpenID for instance would not do, because there will eventually come bogus OpenID providers with the sole intent of disrupting user identification for relying parties.Flinn
@amn: You can accept just OpenID providers you have verified and you trust.Stenosis

© 2022 - 2024 — McMap. All rights reserved.