[Bug 16822] Provide SSL/HTTPS interface to upload.wikimedia.org and use it for SSL-served pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=16822 This, that and the other at.li...@live.com.au changed: What|Removed |Added Status|NEW |RESOLVED CC||at.li...@live.com.au Resolution||FIXED --- Comment #19 from This, that and the other at.li...@live.com.au 2011-10-03 10:42:16 UTC --- https://upload.wikimedia.org now exists, and Firefox doesn't whinge when you visit the fresh new https://en.wikipedia.org site. Thanks to the techies for this! -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16822] Provide SSL/HTTPS interface to upload.wikimedia.org and use it for SSL-served pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=16822 Brion Vibber br...@wikimedia.org changed: What|Removed |Added AssignedTo|has...@free.fr |rlan...@gmail.com --- Comment #16 from Brion Vibber br...@wikimedia.org 2011-07-15 23:05:54 UTC --- SSL support on upload.wikimedia.org is on now to support use of protocol-relative links to uploads on sites under their regular domains (bug 20643), but it's not yet being used on the existing secure.wikimedia.org. Reassigning to Ryan, since he's taking care of most of this testing config stuff. If we feel confident enough with the actual SSL serving on uploads we should be able to switch over the path settings for secure; or it can wait a bit until everything moves to bug 20643 if that ends up being a shorter journey. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16822] Provide SSL/HTTPS interface to upload.wikimedia.org and use it for SSL-served pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=16822 --- Comment #17 from Ryan Lane rlan...@gmail.com 2011-07-16 00:54:04 UTC --- I'd prefer to wait on this until everything is switched over to https. The SSL cluster is still being changed frequently, and isn't scaled to the growth needed to serve upload and bits yet. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16822] Provide SSL/HTTPS interface to upload.wikimedia.org and use it for SSL-served pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=16822 --- Comment #18 from Brion Vibber br...@wikimedia.org 2011-07-16 01:11:03 UTC --- *nod* that's what I figured. :) -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16822] Provide SSL/HTTPS interface to upload.wikimedia.org and use it for SSL-served pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=16822 --- Comment #15 from Brion Vibber br...@wikimedia.org 2011-04-25 17:54:25 UTC --- Any news on this? The lack of SSL on bits.wikimedia.org and upload.wikimedia.org is considered a factor in secure.wikimedia.org being officially considered unsupported by Wikimedia ops. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16822] Provide SSL/HTTPS interface to upload.wikimedia.org and use it for SSL-served pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=16822 k00r0sh koorosh2delb...@yahoo.com changed: What|Removed |Added CC||koorosh2delb...@yahoo.com -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16822] Provide SSL/HTTPS interface to upload.wikimedia.org and use it for SSL-served pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=16822 Ashar Voultoiz has...@free.fr changed: What|Removed |Added Component|General/Unknown |SSL related -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16822] Provide SSL/HTTPS interface to upload.wikimedia.org and use it for SSL-served pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=16822 p858snake p858sn...@gmail.com changed: What|Removed |Added Blocks||27946 -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16822] Provide SSL/HTTPS interface to upload.wikimedia.org and use it for SSL-served pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=16822 Mark A. Hershberger m...@everybody.org changed: What|Removed |Added AssignedTo|fvass...@wikimedia.org |has...@free.fr --- Comment #14 from Mark A. Hershberger m...@everybody.org 2011-03-06 21:27:17 UTC --- Giving half of Fred's old bugs to Ashar since I trust him to get it done or reassign if he doesn't have time. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16822] Provide SSL/HTTPS interface to upload.wikimedia.org and use it for SSL-served pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=16822 Black Spider e...@spiderstech.com changed: What|Removed |Added CC||e...@spiderstech.com --- Comment #13 from Black Spider e...@spiderstech.com 2011-02-02 10:04:16 UTC --- Hello Guys, Recently I started to use secure.wikimedia.org to surf wikipedia. Why? because in my country they block CSS files and Photos from Wikipedia pages. I was so glad to find about the secure.wikimedia.org but the pictures didn't show up when I inspected the elements I found out that only CSS files where directed to SSL pages, while the photos are still on non-SSL pages. I don't know who should I talk to, to check it and make sure photos are directed to SSL pages. Any Ideas? Have a nice day Black Spider -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16822] Provide SSL/HTTPS interface to upload.wikimedia.org and use it for SSL-served pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=16822 Mark A. Hershberger m...@everybody.org changed: What|Removed |Added CC||jpaperch...@aol.com --- Comment #12 from Mark A. Hershberger m...@everybody.org 2011-01-29 03:27:10 UTC --- *** Bug 26421 has been marked as a duplicate of this bug. *** -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16822] Provide SSL/HTTPS interface to upload.wikimedia.org and use it for SSL-served pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=16822 --- Comment #11 from Brian Jason Drake bri...@drakefamily.tk 2010-12-30 12:27:59 UTC --- (In reply to comment #10) (In reply to comment #8) It’s more than “moderately annoying” [0]. You said it yourself: the images could be replaced with something “malicious”. It’s more obvious how this could be a security risk when you consider that images could be used by gadgets or user scripts. The images are cross-origin, so they can do basically nothing different from if they were on some totally different site in a different tab. Gadgets and user scripts cannot (AFAIK) access the contents of upload.wikimedia.org files at all. Pretty much anything an attacker could do by MITMing these images, they could do by MITMing some unrelated site you have open, assuming you have at least one unsecured connection open. So that point is, yes, at most moderately annoying. The issues of replacing the scripts, and snooping on the images to figure out what pages you're viewing, are the significant ones. True, the images are cross-origin, and cannot in themselves do anything. True, gadgets and user scripts cannot access the contents of upload.wikimedia.org files. However, gadgets and user scripts can cause these files to be displayed on the current page. Once this is done, the images have meaning to the person viewing the page, who may make important decisions based on them. The EFF gives a nice example: “Nor is it safe to reference images via HTTP: What if the attacker swapped the Save Message and Delete Message icons in a webmail app?” So this issue is potentially more than moderately annoying: in fact, it is just as important as the other issues, in general. (However, for most users on the Wikimedia sites, it is probably far less important than the other issues.) -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16822] Provide SSL/HTTPS interface to upload.wikimedia.org and use it for SSL-served pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=16822 Brian Jason Drake brianr...@gmail.com changed: What|Removed |Added CC||brianr...@gmail.com --- Comment #8 from Brian Jason Drake brianr...@gmail.com 2010-12-29 16:24:49 UTC --- (In reply to comment #0) Currently we pull images (and CentralNotice JS) from http://upload.wikimedia.org even for pages accessed over SSL on https://secure.wikimedia.org/ [snip] 2) A MITM attacker could replace your images with something malicious/nasty (moderately annoying) [snip] It’s more than “moderately annoying” [0]. You said it yourself: the images could be replaced with something “malicious”. It’s more obvious how this could be a security risk when you consider that images could be used by gadgets or user scripts. [0] “How to Deploy HTTPS Correctly” https://www.eff.org/pages/how-deploy-https-correctly (“Mixed Content” section) -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16822] Provide SSL/HTTPS interface to upload.wikimedia.org and use it for SSL-served pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=16822 --- Comment #9 from Brian Jason Drake brianr...@gmail.com 2010-12-29 16:30:14 UTC --- (In reply to comment #7) I use an addon called https everywhere. It automatically changes you to the secure version of any websites it lists, which includes wikipedia. But on wikipedia, it always warns me about parts of the page being insecure. Found it's because of the images that wikipedia shows and came across this bug. It is extremely annoying and I don't want to have to disable that warning just so that wikipedia won't bug me about it. I'd rather be warned for when I needed it. Please put the images website on ssl so that this warning stops popping up. The author is using an add-on called HTTPS Everywhere [0] for Firefox. Importantly, the warning is coming from Firefox itself, not any add-ons, and would still have appeared had they manually, or by any other method, accessed the secure version of a Wikimedia site. By the way, someone more familiar with the Wikimedia sites than me should keep an eye on the HTTPS Everywhere ruleset for those sites, to make sure it is as secure as possible (and, in particular, to make sure it is updated when the sites are changed). [0] https://www.eff.org/https-everywhere -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16822] Provide SSL/HTTPS interface to upload.wikimedia.org and use it for SSL-served pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=16822 --- Comment #10 from Aryeh Gregor simetrical+wikib...@gmail.com 2010-12-29 18:52:12 UTC --- (In reply to comment #8) It’s more than “moderately annoying” [0]. You said it yourself: the images could be replaced with something “malicious”. It’s more obvious how this could be a security risk when you consider that images could be used by gadgets or user scripts. The images are cross-origin, so they can do basically nothing different from if they were on some totally different site in a different tab. Gadgets and user scripts cannot (AFAIK) access the contents of upload.wikimedia.org files at all. Pretty much anything an attacker could do by MITMing these images, they could do by MITMing some unrelated site you have open, assuming you have at least one unsecured connection open. So that point is, yes, at most moderately annoying. The issues of replacing the scripts, and snooping on the images to figure out what pages you're viewing, are the significant ones. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16822] Provide SSL/HTTPS interface to upload.wikimedia.org and use it for SSL-served pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=16822 pyra...@mindless.com changed: What|Removed |Added CC||pyra...@mindless.com --- Comment #7 from pyra...@mindless.com 2010-10-20 06:39:28 UTC --- I use an addon called https everywhere. It automatically changes you to the secure version of any websites it lists, which includes wikipedia. But on wikipedia, it always warns me about parts of the page being insecure. Found it's because of the images that wikipedia shows and came across this bug. It is extremely annoying and I don't want to have to disable that warning just so that wikipedia won't bug me about it. I'd rather be warned for when I needed it. Please put the images website on ssl so that this warning stops popping up. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16822] Provide SSL/HTTPS interface to upload.wikimedia.org and use it for SSL-served pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=16822 Luka Marčetić paxco...@gmail.com changed: What|Removed |Added Priority|Normal |High Severity|enhancement |major --- Comment #5 from Luka Marčetić paxco...@gmail.com 2010-07-09 17:21:20 UTC --- I would just like to point out this isn't exactly a duplicate of the above stated bugs. The talk exclusively of images, and not from a standpoint of inconvenience, but of security risk for the user. They aren't as mild as this bug would make it seem. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16822] Provide SSL/HTTPS interface to upload.wikimedia.org and use it for SSL-served pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=16822 --- Comment #6 from Luka Marčetić paxco...@gmail.com 2010-07-09 17:32:43 UTC --- Well... Creepy, but nobody seems to care. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16822] Provide SSL/HTTPS interface to upload.wikimedia.org and use it for SSL-served pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=16822 Aryeh Gregor simetrical+wikib...@gmail.com changed: What|Removed |Added Priority|High|Normal Severity|major |enhancement -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16822] Provide SSL/HTTPS interface to upload.wikimedia.org and use it for SSL-served pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=16822 p858snake p858sn...@yahoo.com.au changed: What|Removed |Added CC||paxco...@gmail.com --- Comment #4 from p858snake p858sn...@yahoo.com.au 2010-07-03 02:50:33 UTC --- *** Bug 24239 has been marked as a duplicate of this bug. *** -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16822] Provide SSL/HTTPS interface to upload.wikimedia.org and use it for SSL-served pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=16822 Matt McCutchen m...@mattmccutchen.net changed: What|Removed |Added CC||m...@mattmccutchen.net -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16822] Provide SSL/HTTPS interface to upload.wikimedia.org and use it for SSL-served pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=16822 Brion Vibber br...@wikimedia.org changed: What|Removed |Added Blocks||20643 -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16822] Provide SSL/HTTPS interface to upload.wikimedia.org and use it for SSL-served pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=16822 Derk-Jan Hartman hart...@videolan.org changed: What|Removed |Added CC||bmea...@ieee.org --- Comment #3 from Derk-Jan Hartman hart...@videolan.org 2009-08-21 13:36:44 UTC --- *** Bug 20335 has been marked as a duplicate of this bug. *** -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16822] Provide SSL/HTTPS interface to upload.wikimedia.org and use it for SSL-served pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=16822 Brion Vibber br...@wikimedia.org changed: What|Removed |Added Blocks||18496 -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16822] Provide SSL/HTTPS interface to upload.wikimedia.org and use it for SSL-served pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=16822 merl bugrepor...@to.mabomuja.de changed: What|Removed |Added CC||bugrepor...@to.mabomuja.de --- Comment #2 from merl bugrepor...@to.mabomuja.de 2009-05-12 12:31:43 UTC --- If you are not able to visit http-urls e.g. because of a proxy, it is very annoying to have no images in articles and no special icons in review or edit modus. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16822] Provide SSL/HTTPS interface to upload.wikimedia.org and use it for SSL-served pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=16822 Brion Vibber br...@wikimedia.org changed: What|Removed |Added CC||m...@nedworks.org, ||br...@wikimedia.org, ||rhals...@wikimedia.org AssignedTo|wikibugs- |fvass...@wikimedia.org |l...@lists.wikimedia.org | -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l