Community Wishlist Survey 2017/Admins and stewards/Create a global whitelist for global autoblocks

Create a global whitelist for global autoblocks

Problem:

Many subnets belonging to colo/hosting service are globally blocked in order to stop spam or per NOP. Several legit users/organisation may be affected if they use private VPN, private proxies which are caught by these blocks. Currently the only way to unblock a single IP is chunking the relevant rangeblock in 32-blocked prefix lenght blocks (for IPv4).

Who would benefit:

Legit users caught by proxyblock, stewards saving complains to give answers and administrative overhead in managing the block of many smaller subnets.

Proposed solution:

Allow a global whitelisting of IPs (or even ranges) included in a globally blocked subnet.

More comments:

Phabricator tickets:

Proposer: Vituzzu (talk) 20:43, 8 November 2017 (UTC)Reply[reply]

Translations: none yet

Discussion[edit]

Is Global IP block exemptions insufficient? Anomie (talk) 14:58, 9 November 2017 (UTC)Reply[reply]

Nope, GIPBE is a big deal since it allows an user to edit from *any* blocked connection, also it obviously only works for registered users. --Vituzzu (talk) 10:49, 14 November 2017 (UTC)Reply[reply]

I can't see why this is needed given that we have both global and local IP block exemption systems. Additionally we have "whitelists" already locally en:Special:ListUsers/ipblock-exempt, and (maybe?) globally Special:GlobalBlockWhitelist. A Den Jentyl Ettien Avel Dysklyver (talk) 16:25, 9 November 2017 (UTC)Reply[reply]

Not at all, there are 900 wikis where it would be potentially needed. An example, I just got an email from a local US government which offers a free wifi service. The service uses a captive portal hosted in a colocation facility. Colocation subnet is blocked because it also hosts several open proxies. How would you solve this? --Vituzzu (talk) 10:49, 14 November 2017 (UTC)Reply[reply]

By not blocking entire subnets because they include "several open proxies"? --Tgr (WMF) (talk) 00:55, 17 November 2017 (UTC)Reply[reply]

Did you ever dealt with spambots floods or our loyal LTAs? --Vituzzu (talk) 10:07, 17 November 2017 (UTC)Reply[reply]

Yes, although no doubt on a smaller scale than large wiki / crosswiki antiabuse people. My point (made in a flippant tone that was uncalled for; sorry about that) was that if a block is sweeping enough to include important institutions that we notice we don't want to block, then it's probably also going to include lots of "unimportant" well-intentioned users whom we won't notice. It would be better to think about improving block targeting instead of issuing wide blocks and whitelisting a lucky few. --Tgr (WMF) (talk) 06:34, 19 November 2017 (UTC)Reply[reply]

Well, I made just an example, but most of complains are from single users, usually those using their own VPNs. Rangeblocks are not indiscriminate, I usually don't block transit while I usually block webhosting. Also, a significant percentage of users caught are actually affected by some fancy malware.

What I am proposing here is not meant to be a general purpose solution, but another tool to ease the handling of the big burden of crosswiki issues. A tool which would be, in my experience, the "cheapest" way to solve a variety of problems. --Vituzzu (talk) 20:51, 19 November 2017 (UTC)Reply[reply]

Voting[edit]

Support Stryn (talk) 18:58, 27 November 2017 (UTC)Reply[reply]
Support Matiia (talk) 00:37, 28 November 2017 (UTC)Reply[reply]
Support Defender (talk) 01:39, 28 November 2017 (UTC)Reply[reply]
Support - yona B. (D) 05:46, 28 November 2017 (UTC)Reply[reply]
Support --Liuxinyu970226 (talk) 12:47, 28 November 2017 (UTC)Reply[reply]
Support Owula kpakpo (talk) 15:43, 28 November 2017 (UTC)Reply[reply]
Support Sakretsu (talk) 17:06, 28 November 2017 (UTC)Reply[reply]
Support --Sannita - not just another it.wiki sysop 19:31, 28 November 2017 (UTC)Reply[reply]
Support Gripweed (talk) 21:24, 28 November 2017 (UTC)Reply[reply]
Support Thomas Obermair 4 (talk) 21:32, 28 November 2017 (UTC)Reply[reply]
Support Gbear605 (talk) 21:37, 28 November 2017 (UTC)Reply[reply]
Support Shizhao (talk) 02:45, 29 November 2017 (UTC)Reply[reply]
Support Shanmugamp7 ^(talk) 06:50, 29 November 2017 (UTC)Reply[reply]
Support Donald Trung (Talk 🤳🏻) (My global lock 🔒) (My global unlock 🔓) 10:24, 29 November 2017 (UTC)Reply[reply]
Support --Ruthven (talk) 19:33, 29 November 2017 (UTC)Reply[reply]
Support --g (talk) 00:24, 30 November 2017 (UTC)Reply[reply]
Support --隼鷹 (talk) 05:35, 30 November 2017 (UTC)Reply[reply]
Support--L736E ^{tell me} 07:55, 30 November 2017 (UTC)Reply[reply]
Support Dromedar61 (talk) 20:30, 30 November 2017 (UTC)Reply[reply]
Support Daniel Case (talk) 00:36, 1 December 2017 (UTC)Reply[reply]
Support ~Cybularny ^Speak? 12:06, 2 December 2017 (UTC)Reply[reply]
Support —MarcoAurelio (talk) 15:24, 2 December 2017 (UTC)Reply[reply]
Support Emir of Wikipedia (talk) 15:32, 2 December 2017 (UTC)Reply[reply]
Support WikiMasterGhibif (talk) 23:42, 2 December 2017 (UTC)Reply[reply]
Support Ciao • Bestoernesto • ✉ 02:33, 4 December 2017 (UTC)Reply[reply]
Support Yeza (talk) 23:14, 4 December 2017 (UTC)Reply[reply]
Support X:: black ::X (talk) 14:10, 7 December 2017 (UTC)Reply[reply]
Support Ahm masum (talk) 21:15, 7 December 2017 (UTC)Reply[reply]
Support Wikimedia projects ally with other open content, information access advocacy projects. There are high profile activists who decline to send their communities to Wikimedia projects because of the lack of personal security we offer. We need to have predictable technical and social infrastructure aligned with each other to provide editing access to registered accounts which need to use VPNs. VPN use is a necessity for some people, not a bothersome luxury, and we need to set a good example for the world and with our partners by making it easy to grant these rights. Blue Rasberry (talk) 15:20, 9 December 2017 (UTC)Reply[reply]
Support Ruslik (talk) 12:32, 10 December 2017 (UTC)Reply[reply]
Support --HakanIST (talk) 12:27, 11 December 2017 (UTC)Reply[reply]