Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I hadn't known there was a term for this braindead idea that websites should hassle you based on your IP address. Of course there has to be a term, compartmentalization is necessary for getting good people to do bad things.

It's fantastic that Apple is continuing to mitigate commercial surveillance. It's easy to discriminate against us lone individuals who hide our IP addresses, but Apple's market is too big to reject. If they're successful here, I'll have to consider buying a Mac purely for their VPN service.

Perhaps they'll take on CAPTCHAs next.



> this braindead idea that websites should hassle you based on your IP address

So if you only ever log in to your financial institution from NY city, they shouldn't be suspicious if they see an attempt to log in from North Macedonia?


It was a nice temporary hack in the game of cat and mouse. Now a solution that doesn’t depend on that signal will be required.

My bank sends me a card with a grid of coordinates and I have to enter the character at the coordinate when I login, after entering my password, thereby proving something I know and something I have, without also requiring me to have a phone


Yes, that's great. It's also less convenient. Depending on the security threat model, users might tolerate it, or they might not. In the case of lots of money, it's a good practice.


People can start wanting to protect their privacy at any time. The situation you describe is more like you traditionally log in "from NYC", and then attempt to log in through a VPN which the snakeoil vendor calls "North Macedonia", and then you get discouraged as if it is a problem with the VPN. If website users could choose to opt in/out of such restrictions I'd see the utility, but that's not what's happening.


That's typical if you have a VPN, which many people do.


Presumably if you have a VPN your exit will appear to be the same place, or some small number of places, all the time. So again, a connection and authentication attempt from a different IP would be a signal to be concerned about.


You'd have 2fa for your online banking anyway.


And what if your bank only offers SMS for 2fa?


We're talking about how banks should be adapting away from this signal, so perhaps they should support WebAuthn and/or TOTP?

It would honestly be revolutionary for a bank to require hardware authentication and send a security key to every client upon registration.


I was thinking the other day that at the pace at which all the AI stuff is advancing, including hardware accelerators in consumer devices, it won't be long until captchas become useless for their purpose of telling humans and machines apart. It's already at the point where captchas are increasingly frustrating and require way too much attention instead of the simple "enter these characters".

Also, yes, I really wish recaptcha dies a painful death because it often does discriminate me for my IP address and non-acceptance of third-party cookies.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: