Hello,
how could I configure SMF that online ASCII or ISO-LATIN usernames are allowed?
My forum gets "attacked" by some "funny guys" that create new logins looking exactly like existing logins but some letters replaced by same looking ISO-Latin. Like cyrillic "i" instead of ASCII "i"...
Exactly what version are you using? I think SMF should already screen for those by default, at least partly.
SMF 2.0.15
here an example of 2 user-accounts:
$ echo "Mіau!" | od -c
0000000 M 321 226 a u ! \n
0000007
$ echo "Miau!" | od -c
0000000 M i a u ! \n
0000006
You could just ban the users that do it without needing a technological solution.
Quote from: Arantor on December 05, 2018, 11:40:24 AM
You could just ban the users that do it without needing a technological solution.
get serious:
manually ban each user who does the homoglyph attack on others? - that's not a solution, that's a nightmare.
I'm pretty sure there is an out-of-box solution for this problem.
Like a admin-menu checkbox
[ ] only allow ISO-LATIN (ASCII) usernames
and then just filter all non-ISO-Latin (or ASCII) characters
I seem to recall this cannot happen anymore, it's prevented in 2.0.x and 2.1.
The remaining issues should be a small set of users who were registered before the fix, which was a while back.
Unless I am missing something? Prior topic:
https://www.simplemachines.org/community/index.php?topic=560018.0
Or is this slightly different?
apparently not. The forum was installed 4 months ago.
SMF 2.0.15
There is no out of the box solution for SMF, despite your belief in such a thing.
The only possible option is to restrict characters to strict ASCII and even that isn't idiot proof as many users confuse lowercase L with uppercase I in many fonts, along with | as well. Unless you restrict use of these too, it still has problems.
In any case if you have enough users doing this that you actually NEED to solve this with a technological solution, you're going to have way more serious problems with moderating such troublemakers.
Quote from: shawnb61 on December 05, 2018, 04:49:12 PM
I seem to recall this cannot happen anymore, it's prevented in 2.0.x and 2.1.
The remaining issues should be a small set of users who were registered before the fix, which was a while back.
Unless I am missing something? Prior topic:
https://www.simplemachines.org/community/index.php?topic=560018.0
Or is this slightly different?
This might be slightly different in the way that this is the other way around if I'm guessing right.
Just out of curiosity, what mods are installed on the forum? Any that deal with registration?
Social logins, Tapatalk?
You are thinking of something slightly different. There is intentional protection against white space leading and trailing, and there is protection against certain combinations by what of database collation (but that's a happy by product, not intentional)
But homoglyphs, of similar looking letters, no. Partially because implementing it in the core as the OP suggests would basically make the software unusable for anyone whose environment isn't English (most of the users then), and partially because the list is so huge and grows over time that it's a surprisingly complex task.
phpBB does have protection in this department but it's still pretty easy to get around. But the bottom line is that if you have people trolling like this, no amount of technological tools can fix a social problem.
Quote from: Arantor on December 06, 2018, 03:13:22 AM
But homoglyphs, of similar looking letters, no. Partially because implementing it in the core as the OP suggests would basically make the software unusable for anyone whose environment isn't English (most of the users then), and partially because the list is so huge and grows over time that it's a surprisingly complex task.
a checkbox in the administrator's menu were new login creation is restricted to ASCII characters is a problem? - if such basic and very easy to be implemented things are a problem, the software in total seems to be the problem.
I now just hacked it into the code myself:
Sources/Subs-Members.php
if (preg_match('~^[a-zA-Z0-9 ]{1,}$~', $regOptions['username']) //....
But IMO that's not a thing users should be obliged to do just to get the forum run in a decent way.
Quote
phpBB does have protection in this department but it's still pretty easy to get around. But the bottom line is that if you have people trolling like this, no amount of technological tools can fix a social problem.
sounds like: "we don't need spam protection since we believe that if people are spamming our forums like this, no amount of technological tools can fix the social problem of spamming" ;-)
Straw man argument, but I'm glad you got it resolved to your satisfaction.
we are well aware of this, but at this time see no reason to "fix" this. we also do not allow clone accounts here.
oh - someone deleted my homoglyph "Arantоr" account and it's posting for demonstration purpose. What a pity!
So this "social problem" was solved with a.) technical measures and b.) manual work. How comes?
I can tell you why: no one likes homoglyph attacks on user accounts! Cloned users don't like it, fooled readers don't like it and most moderators (except probably at SMF forum) hate it because that creates unnecessary workload.
Except that you conveniently ignored how actually impractical your solution would be here, it would make the software unusable for people outside the US which is a surprising amount of the user base, not just here but everywhere.
Your solution also might not prevent all attacks even of the kind you talk about, actually, depending on how you configured permissions, but what would I know?
Again, this is simply not a big enough problem to actually fix in the software, based on the amount of times it's been discussed in the years I've been here.
Quote from: Arantor on December 06, 2018, 09:39:09 AM
Except that you conveniently ignored how actually impractical your solution would be here, it would make the software unusable for people outside the US which is a surprising amount of the user base, not just here but everywhere.
Allowing the administrator to restrict new account creation to ASCII usernames with a checkbox wouldn't make your software unusable for non US use. Administrators who like supporting homoglyph attacks just leave this checkbox unchecked and everything is exactly like it was before. For all others a nasty bug is fixed.
If you wish to request a feature, use the feature request board:
https://www.simplemachines.org/community/index.php?board=3.0
SMF does in fact attempt to detect dupes, but only does so within the bounds of collation detection. E.g., FredrikÖ and FredrikO and fredriko are all considered dupes and not allowed.
As you point out, this is not extended when similar glyphs are used for completely different characters across languages.
If you wish to code your own ASCII check, I'd start by enhancing isReservedName() in Subs-Members.php. I don't think an ASCII check would be an acceptable long-term solution for SMF due to broad multi-language support by SMF.
But enhancing isReservedName to better detect homoglyphs is a valid (if potentially difficult) request.
Quote from: Paul2 on December 09, 2018, 12:49:49 PM
Quote from: Arantor on December 06, 2018, 09:39:09 AM
Except that you conveniently ignored how actually impractical your solution would be here, it would make the software unusable for people outside the US which is a surprising amount of the user base, not just here but everywhere.
Did you check people changing their name via profile? Don't think so.
I also like how you equate the vast majority of users as "supporting homoglyph issues" just because you don't use the same alphabet as them.
It is distinctly unlikely that this sort of restriction would ever be a standard feature given that it would cripple many languages.
Again... technical solutions to social problems are not a solution..it just moves the goalposts slightly for the offenders.
A moderator deleteing your duplicate account is not a technical solution, it's a social solution.... account deleted and, if you had continued, penalties would have been applied, up to and including banning.
An ASCII restriction is not a good solution.
However, there are libraries/approaches out there to test for homoglyphs. (I think it's even native to .js.)
I do think that a homoglyph check would be a useful feature. The sample provided above is valid: "Mіau!" and "Miau!" are two distinct names, and are not caught by the existing SMF dupe prevention.
There are valid reasons we prevent dupes, and it would be proper to close such loopholes.
EDIT: I logged a feature request here:
https://www.simplemachines.org/community/index.php?topic=563911.0
Except that this is a huge matter of debate: how far do you go? If you follow the very link in your example, you potentially consider 'cj' as a homoglyph of 'g'. How far down that road do you possibly go?