giantdragon (OP)
Legendary
 Offline
Activity: 1582
Merit: 1002
|
 |
August 29, 2012, 10:52:02 PM |
|
At first I want to thank a user from the Rugatu, who suggested this idea! As you know, IP addresses can be easily spoofed by using TOR, proxies, VPN etc. Blocking anonymizers altogether is bad solution because many legitimate users may use them for privacy purposes (regarding to Bitcoin users, this rate is even higher). Electronic Frontier Foundation have published a paper, in which suggested to use aggregated hashed value of various browser parameters (user agent, screen resolution, timezone, plugins etc) to ensure uniqueness of the each user. This technology may be useful for services, which want to restrict number of times that the same user can do relating to the concrete action (e.g. clicking an ad, requesting free Bitcoins at faucet etc). I have enabled this feature on my sites CoinURL and Daily Bitcoins and now see promising results. I suppose other services also would consider enabling this method! |
|
|
|
|
|
|
|
|
|
|
|
According to NIST and ECRYPT II, the cryptographic algorithms used in
Bitcoin are expected to be strong until at least 2030. (After that, it
will not be too difficult to transition to different algorithms.)
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
|
|
|
Mr. Coinman
|
|
August 30, 2012, 12:03:20 AM |
|
That's a really interesting concept. Hopefully more services will start to adopt it.
|
|
|
|
stevegee58
Legendary
Offline
Activity: 916
Merit: 1003
|
|
August 30, 2012, 12:06:28 AM |
|
A custom browser or stripped-down variant of Firefox could be put together that gives away nothing.
Besides, why would someone in BTC want to combat anonymity? Get burned by pirate?
|
You are in a maze of twisty little passages, all alike.
|
|
|
giantdragon (OP)
Legendary
Offline
Activity: 1582
Merit: 1002
|
|
August 30, 2012, 12:53:54 AM |
|
A custom browser or stripped-down variant of Firefox could be put together that gives away nothing.
I don't suggest to use this technology exclusively, it is just another protection barrier. It will create more difficulties to the fraudsters and decrease their willingness to cheat. Besides, why would someone in BTC want to combat anonymity? Get burned by pirate?
Absolute anonymity will make some Bitcoin services like advertising networks or faucets impossible to run. Their operators must have ability to ensure users' uniqueness (even without knowing who is behind anonymizer). |
|
|
|
|
flipperfish
Sr. Member
Offline
Activity: 350
Merit: 251
Dolphie Selfie
|
|
August 30, 2012, 09:47:59 AM |
|
|
|
|
|
|
giantdragon (OP)
Legendary
Offline
Activity: 1582
Merit: 1002
|
|
August 30, 2012, 01:20:50 PM |
|
Just tried this extension. It seems that all users who have installed it will have the same fingerprint, making identification of the concrete user impossible. But service operator can just reject requests made with this ID (i.e. block all users who have enabled it in the browser). |
|
|
|
|
stevegee58
Legendary
Offline
Activity: 916
Merit: 1003
|
|
August 30, 2012, 02:45:42 PM |
|
But service operator can just reject requests made with this ID (i.e. block all users who have enabled it in the browser). That's just plain silliness. A service and its potential users can eternally play this game of technological whack-a-mole but to what end? Eventually there would be no users of the service. Now you can create a Firefox add-on that randomizes the fingerprint instead of making them all the same. Or even better, create plausible counterfit fingerprints. What's next? |
You are in a maze of twisty little passages, all alike.
|
|
|
giantdragon (OP)
Legendary
Offline
Activity: 1582
Merit: 1002
|
|
August 31, 2012, 03:30:25 AM |
|
That's just plain silliness. A service and its potential users can eternally play this game of technological whack-a-mole but to what end?
As I said before, this technology is just ADDITIONAL measure to uniquely identify a user. It cannot be used alone, but adds another brick in the protection wall. |
|
|
|
|
SgtSpike
Legendary
Offline
Activity: 1400
Merit: 1005
|
|
August 31, 2012, 04:58:11 PM |
|
But service operator can just reject requests made with this ID (i.e. block all users who have enabled it in the browser). That's just plain silliness. A service and its potential users can eternally play this game of technological whack-a-mole but to what end? Eventually there would be no users of the service. Now you can create a Firefox add-on that randomizes the fingerprint instead of making them all the same. Or even better, create plausible counterfit fingerprints. What's next? Are people really going to go through that much effort to get an extra 0.001 BTC/day? Maybe a few, but most won't. As giantdragon says, each step of difficulty means fewer people will be doing it. It won't eliminate cheating completely, from those who are very persistent about it, but it helps deter some cheaters. It's like saying, why bother building a fence around your property? People can still hop the fence and get in. Why bother putting barbed wire on top of a fence? People can still put heavy clothes on top of it to get over it. Or they can cut through the chain link fence. Therefore, we shouldn't build fences at all. |
|
|
|
|
stevegee58
Legendary
Offline
Activity: 916
Merit: 1003
|
|
August 31, 2012, 05:12:40 PM |
|
Are people really going to go through that much effort to get an extra 0.001 BTC/day? Maybe a few, but most won't. As giantdragon says, each step of difficulty means fewer people will be doing it. It won't eliminate cheating completely, from those who are very persistent about it, but it helps deter some cheaters.
It's like saying, why bother building a fence around your property? People can still hop the fence and get in. Why bother putting barbed wire on top of a fence? People can still put heavy clothes on top of it to get over it. Or they can cut through the chain link fence. Therefore, we shouldn't build fences at all.
That's fine until the Russian mob sends the commandos over to cut through your cyber chain link fence and get at your goodies. |
You are in a maze of twisty little passages, all alike.
|
|
|
|
gbl08ma
|
|
August 31, 2012, 05:23:20 PM |
|
extra 0.001 BTC/day
Actually it's more like 0.0001 BTC/day on OP's faucet. IMHO, adding yet another variable to the list of things to check only increases the chances that one of the validation steps fails, making it more cumbersome to get that 0.0001 BTC. And when people can't get money from your website, they'll stop coming back to it, which equals less advertising revenue. More and more people care about their privacy on the internet and some don't like the fact that they are being tracked and bubbled. This means the crowd of people that already block ads, Google Analytics and JavaScript on unknown websites will get into the next step and block websites from knowing their user agent, referrer and other browser information. Sure, you can always ask them to disable these privacy features on your website for it to work (much like "we're the cops, show us your ID"), but then some will say "so much for this? I'm not coming back here!" (and in the specific case of Bitcoin faucets, they'll say in addition "I thought you were going to give me free bitcoins, is this a SCAM?"). Personally I go away from websites which force me to disable my ad blocker before I can visit them, now imagine if I hid my user agent and these websites forced me to disable my ad blocker AND show them who am I. |
|
|
|
SgtSpike
Legendary
Offline
Activity: 1400
Merit: 1005
|
|
August 31, 2012, 06:01:04 PM |
|
Are people really going to go through that much effort to get an extra 0.001 BTC/day? Maybe a few, but most won't. As giantdragon says, each step of difficulty means fewer people will be doing it. It won't eliminate cheating completely, from those who are very persistent about it, but it helps deter some cheaters.
It's like saying, why bother building a fence around your property? People can still hop the fence and get in. Why bother putting barbed wire on top of a fence? People can still put heavy clothes on top of it to get over it. Or they can cut through the chain link fence. Therefore, we shouldn't build fences at all.
That's fine until the Russian mob sends the commandos over to cut through your cyber chain link fence and get at your goodies. No one said this would prevent all cases of cheating, but it does help prevent some of them. @ gbl08ma - I agree. Certainly, it is a choice both for the faucet website to implement anti-cheat measures, and a choice for the user to decide whether they wish to comply with that level of anti-cheat measures. Some users may indeed opt to not use some faucet websites based on the difficulty in acquiring the handout. |
|
|
|
|
stevegee58
Legendary
Offline
Activity: 916
Merit: 1003
|
|
August 31, 2012, 06:14:46 PM |
|
Much of my argument is academic anyway. As someone pointed out earlier as you add more and more security checks managing them becomes more and more unwieldy.
The sensible approach is to cull the universe of checks down to a small managable set that gets most of the problems. This browser fingerprint approach might very well be useful or it may not. You may also find it's not worth the hassle and stick with the 5 other things that work reasonably well.
|
You are in a maze of twisty little passages, all alike.
|
|
|
SgtSpike
Legendary
Offline
Activity: 1400
Merit: 1005
|
|
August 31, 2012, 06:21:13 PM |
|
Much of my argument is academic anyway. As someone pointed out earlier as you add more and more security checks managing them becomes more and more unwieldy.
The sensible approach is to cull the universe of checks down to a small managable set that gets most of the problems. This browser fingerprint approach might very well be useful or it may not. You may also find it's not worth the hassle and stick with the 5 other things that work reasonably well.
It's not my site, but yes, I agree there is a balance between security measures and reasonability of use/maintenance. Certainly, that is up to each site owner to decide. |
|
|
|
|
|
Mr. Coinman
|
|
September 01, 2012, 07:31:49 AM |
|
But service operator can just reject requests made with this ID (i.e. block all users who have enabled it in the browser). That's just plain silliness. A service and its potential users can eternally play this game of technological whack-a-mole but to what end? Eventually there would be no users of the service. Now you can create a Firefox add-on that randomizes the fingerprint instead of making them all the same. Or even better, create plausible counterfit fingerprints. What's next? Are people really going to go through that much effort to get an extra 0.001 BTC/day? Maybe a few, but most won't. As giantdragon says, each step of difficulty means fewer people will be doing it. It won't eliminate cheating completely, from those who are very persistent about it, but it helps deter some cheaters. It's like saying, why bother building a fence around your property? People can still hop the fence and get in. Why bother putting barbed wire on top of a fence? People can still put heavy clothes on top of it to get over it. Or they can cut through the chain link fence. Therefore, we shouldn't build fences at all. I disagree with your logic. Obviously any security system can be breached, but that doesn't mean they shouldn't be put in place to begin with. Any sense of security is enough to ward off no-gooders. Browser fingerprinting isn't of course the end-all, be-all solution, but at least it does something. |
|
|
|
|
