[Bug 16822] Provide SSL/HTTPS interface to upload.wikimedia.org and use it for SSL-served pages

bugzilla-daemon Wed, 29 Dec 2010 08:24:58 -0800

https://bugzilla.wikimedia.org/show_bug.cgi?id=16822


Brian Jason Drake <brianr...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |brianr...@gmail.com

--- Comment #8 from Brian Jason Drake <brianr...@gmail.com> 2010-12-29 16:24:49 
UTC ---
(In reply to comment #0)
> Currently we pull images (and CentralNotice JS) from
> http://upload.wikimedia.org even for pages accessed over SSL on
> https://secure.wikimedia.org/
> 
> [snip]
> 
> 2) A MITM attacker could replace your images with something malicious/nasty
> (moderately annoying)
> 
> [snip]

It’s more than “moderately annoying” [0]. You said it yourself: the images
could be replaced with something “malicious”. It’s more obvious how this could
be a security risk when you consider that images could be used by gadgets or
user scripts.

[0] “How to Deploy HTTPS Correctly”
<https://www.eff.org/pages/how-deploy-https-correctly> (“Mixed Content”
section)

-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 16822] Provide SSL/HTTPS interface to upload.wikimedia.org and use it for SSL-served pages

Reply via email to