On Fri, Jul 24, 2009 at 2:24 AM, Tim Starling<tstarl...@wikimedia.org> wrote: > There's plenty of ways to attack watchlistr without fully compromising > the server.
The point is that a system that allowed stealing the logins of hundreds of Wikipedia users if you managed to compromise a third-party website run to unknown security standards is unacceptable. *Even* if it's set up so you really do have to be able to run arbitrary code as the web user to get the data -- and in this case security appeared to be even lower. Malice is also a concern in the general case, although it might not be a concern here. So any solution that allows either of the following is unacceptable: 1) The compromise of a(n additional) third-party party run to unknown security standards could result in many Wikipedia user accounts being taken over. 2) A third party becoming malicious could result in many Wikipedia user accounts being taken over. Hopefully my watchlist-reading code will be deemed acceptable. I'm reminded (by Domas, of course) that watchlists are actually a very expensive operation, so I wouldn't be entirely surprised if this gets $wgMiserModed away before or shortly after deployment, when users start requesting 400 wikis' watchlists every fifteen minutes. I wish there were some good solution to this. How do other sites handle giant numbers of users watching changes to zillions of pages? Throwing hardware at it? _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l