Page MenuHomePhabricator
Create Task
Maniphest T314174

Expand cookie blocking to enforce existing blocks with the same duration
Open, Needs TriagePublic
Actions

Description

Result of T309625: Investigate whether cookie blocks are working properly 4H

With the changes in IP assignment in the industry, our blocking tools are becoming useless every day. Cookie blocking has surgical precision and can be used to make sure blocked users stay blocked, specially indef-blocked ones.

Examples:

  • User:Foo is a new sock of an LTA, starts to abuse and we indef block User:Foo. The LTA logs out and either tries to create a new account or login with a sleeper account.
    • Status quo: In some cases the user will get an auto block and gets blocked for a day.
    • Proposal: Attempt to login, or edit another a new username should immediately lead to an indef auto-block (with a block id).
  • 192.0.2.1 is a bored high school kid and thinks it's funny to vandalize Wikipedia and as result, the IP gets blocked for a week. The mobile provider usually change IP to something else in an hour or more.
    • Status quo: The vandal continues.
    • Proposal: Attempt to edit, creating an account and so on should lead to the one-week block being copied to the new IP with the same settings.
  • User:Bar is a problematic user who got blocked for a week but he has trouble respecting the block
    • Status quo: The user easily can create a new account and bypass the block.
    • Proposal: Attempt to login, or edit under another username should immediately lead to an one-week auto-block with a block id. Attempt to edit as IP should also block that given IP with the same settings with the same exact expiry

I admit some cases can lead to exposing private information of vandals and blocked users but 1- This is mostly permitted by ToS given the fact that they are trying to bypass the block. And it can also be mitigated by IP masking.

There might be also some cases of collateral damage but such damages are next-to-none comparing to the current system of range blocks. And similar to those collateral damages, admins can always unblock the mistakes

This won't fix all cases as sophisticated LTAs would clear the cookies and come back but: 1- It still reduces the majority of our vandals who are typically high school kids with little technical knowledge and specially on mobile which free up a lot of much valued volunteer's time. 2- It adds more work to the sophisticated LTAs, they have to jump to more hoops to bypass blocking.

We can start by just making sure indef-blocked users stay blocked (but also need to make sure it wouldn't make cause issues in cases of unacceptable username blocks where rename or another user is acceptable).

Related Objects

Event Timeline

Ladsgroup created this task.Jul 29 2022, 6:38 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 29 2022, 6:38 PM
Ladsgroup mentioned this in T309625: Investigate whether cookie blocks are working properly 4H.Jul 29 2022, 6:38 PM
Peachey88 subscribed.Jul 29 2022, 11:02 PM
MarcoAurelio subscribed.Jul 30 2022, 12:51 PM
sbassett subscribed.Aug 8 2022, 6:40 PM
Ladsgroup added a comment.Mar 2 2023, 3:59 PM

My suggestion is that for the first part, at least indef block users who have indef block cookie from a previous block. That will have a massive impact.

Ameisenigel subscribed.Apr 30 2023, 7:41 PM
Ladsgroup mentioned this in T257893: [EPIC] Support User-Agent Client Hints header in CheckUser.Apr 30 2023, 11:40 PM
Krinkle awarded a token.May 1 2023, 12:41 AM
Krinkle added a project: Anti-Harassment.
Krinkle subscribed.
Lectrician1 subscribed.May 1 2023, 1:35 AM
taavi updated the task description. (Show Details)May 1 2023, 1:43 PM
taavi updated the task description. (Show Details)
Krinkle added a project: Performance-Team (Radar).Jun 13 2023, 7:59 PM
Novem_Linguae subscribed.Jun 28 2023, 9:18 PM
Krinkle edited projects, added MediaWiki-Platform-Team (Radar); removed Performance-Team (Radar).Aug 6 2023, 10:26 PM
kostajh subscribed.Aug 28 2023, 8:38 AM
Johannnes89 subscribed.Apr 17 2024, 6:52 AM
TAdeleye_WMF edited projects, added Trust and Safety Product Team; removed Anti-Harassment.May 14 2024, 4:16 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits