how to solve homoglyph issue?

Started by Paul2, December 05, 2018, 11:31:49 AM

Previous topic - Next topic

Paul2

Hello,

how could I configure SMF that online ASCII or ISO-LATIN usernames are allowed?

My forum gets "attacked" by some "funny guys" that create new logins looking exactly like existing logins but some letters replaced by same looking ISO-Latin. Like cyrillic "i" instead of ASCII "i"...

Aleksi "Lex" Kilpinen

Exactly what version are you using? I think SMF should already screen for those by default, at least partly.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Paul2


Paul2

here an example of 2 user-accounts:
$ echo "Mіau!" | od -c
0000000   M 321 226   a   u   !  \n
0000007
$ echo "Miau!" | od -c
0000000   M   i   a   u   !  \n
0000006

Arantor

You could just ban the users that do it without needing a technological solution.

Paul2

Quote from: Arantor on December 05, 2018, 11:40:24 AM
You could just ban the users that do it without needing a technological solution.

get serious:
manually ban each user who does the homoglyph attack on others? - that's not a solution, that's a nightmare.

I'm pretty sure there is an out-of-box solution for this problem.

Like a admin-menu checkbox
[  ] only allow ISO-LATIN (ASCII) usernames
and then just filter all non-ISO-Latin (or ASCII) characters

shawnb61

I seem to recall this cannot happen anymore, it's prevented in 2.0.x and 2.1.

The remaining issues should be a small set of users who were registered before the fix, which was a while back.   

Unless I am missing something?   Prior topic:
https://www.simplemachines.org/community/index.php?topic=560018.0

Or is this slightly different?
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Paul2

apparently not. The forum was installed 4 months ago.
SMF 2.0.15

Arantor

There is no out of the box solution for SMF, despite your belief in such a thing.

The only possible option is to restrict characters to strict ASCII and even that isn't idiot proof as many users confuse lowercase L with uppercase I in many fonts, along with | as well. Unless you restrict use of these too, it still has problems.

In any case if you have enough users doing this that you actually NEED to solve this with a technological solution, you're going to have way more serious problems with moderating such troublemakers.

Aleksi "Lex" Kilpinen

Quote from: shawnb61 on December 05, 2018, 04:49:12 PM
I seem to recall this cannot happen anymore, it's prevented in 2.0.x and 2.1.

The remaining issues should be a small set of users who were registered before the fix, which was a while back.   

Unless I am missing something?   Prior topic:
https://www.simplemachines.org/community/index.php?topic=560018.0

Or is this slightly different?
This might be slightly different in the way that this is the other way around if I'm guessing right.

Just out of curiosity, what mods are installed on the forum? Any that deal with registration?
Social logins, Tapatalk?
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Arantor

You are thinking of something slightly different. There is intentional protection against white space leading and trailing, and there is protection against certain combinations by what of database collation (but that's a happy by product, not intentional)

But homoglyphs, of similar looking letters, no. Partially because implementing it in the core as the OP suggests would basically make the software unusable for anyone whose environment isn't English (most of the users then), and partially because the list is so huge and grows over time that it's a surprisingly complex task.

phpBB does have protection in this department but it's still pretty easy to get around. But the bottom line is that if you have people trolling like this, no amount of technological tools can fix a social problem.

Paul2

Quote from: Arantor on December 06, 2018, 03:13:22 AM
But homoglyphs, of similar looking letters, no. Partially because implementing it in the core as the OP suggests would basically make the software unusable for anyone whose environment isn't English (most of the users then), and partially because the list is so huge and grows over time that it's a surprisingly complex task.

a checkbox in the administrator's menu were new login creation is restricted to ASCII characters is a problem? - if such basic and very easy to be implemented things are a problem, the software in total seems to be the problem.

I now just hacked it into the code myself:
Sources/Subs-Members.php
if (preg_match('~^[a-zA-Z0-9 ]{1,}$~', $regOptions['username']) //....
But IMO that's not a thing users should be obliged to do just to get the forum run in a decent way.

Quote
phpBB does have protection in this department but it's still pretty easy to get around. But the bottom line is that if you have people trolling like this, no amount of technological tools can fix a social problem.

sounds like: "we don't need spam protection since we believe that if people are spamming our forums like this, no amount of technological tools can fix the social problem of spamming"  ;-)

Arantor

Straw man argument, but I'm glad you got it resolved to your satisfaction.

Illori

we are well aware of this, but at this time see no reason to "fix" this. we also do not allow clone accounts here.

Paul2

oh - someone deleted my homoglyph "Arantоr" account and it's posting for demonstration purpose. What a pity!

So this "social problem" was solved with a.) technical measures and b.) manual work. How comes?

I can tell you why: no one likes homoglyph attacks on user accounts! Cloned users don't like it, fooled readers don't like it and most moderators (except probably at SMF forum) hate it because that creates unnecessary workload.

Arantor

Except that you conveniently ignored how actually impractical your solution would be here, it would make the software unusable for people outside the US which is a surprising amount of the user base, not just here but everywhere.

Your solution also might not prevent all attacks even of the kind you talk about, actually, depending on how you configured permissions, but what would I know?

Again, this is simply not a big enough problem to actually fix in the software, based on the amount of times it's been discussed in the years I've been here.

Paul2

Quote from: Arantor on December 06, 2018, 09:39:09 AM
Except that you conveniently ignored how actually impractical your solution would be here, it would make the software unusable for people outside the US which is a surprising amount of the user base, not just here but everywhere.

Allowing the administrator to restrict new account creation to ASCII usernames with a checkbox wouldn't make your software unusable for non US use. Administrators who like supporting homoglyph attacks just leave this checkbox unchecked and everything is exactly like it was before. For all others a nasty bug is fixed.


shawnb61

If you wish to request a feature, use the feature request board:
https://www.simplemachines.org/community/index.php?board=3.0

SMF does in fact attempt to detect dupes, but only does so within the bounds of collation detection.  E.g., FredrikÖ and FredrikO and fredriko are all considered dupes and not allowed. 

As you point out, this is not extended when similar glyphs are used for completely different characters across languages. 

If you wish to code your own ASCII check, I'd start by enhancing isReservedName() in Subs-Members.php.  I don't think an ASCII check would be an acceptable long-term solution for SMF due to broad multi-language support by SMF. 

But enhancing isReservedName to better detect homoglyphs is a valid (if potentially difficult) request. 
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Arantor

#18
Quote from: Paul2 on December 09, 2018, 12:49:49 PM
Quote from: Arantor on December 06, 2018, 09:39:09 AM
Except that you conveniently ignored how actually impractical your solution would be here, it would make the software unusable for people outside the US which is a surprising amount of the user base, not just here but everywhere.

Did you check people changing their name via profile? Don't think so.

I also like how you equate the vast majority of users as "supporting homoglyph issues" just because you don't use the same alphabet as them.

Kindred

It is distinctly unlikely that this sort of restriction would ever be a standard feature given that it would cripple many languages.

Again...  technical solutions to social problems are not a solution..it just moves the goalposts slightly for the offenders.

A moderator deleteing your duplicate account is not a technical solution, it's a social solution....  account deleted and, if you had continued, penalties would have been applied, up to and including banning.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Advertisement: