To really fix the problem we would have to go HTTPS by default. I don't know what that means to our resource usage, as well as how it affects people who cannot use HTTPS for whatever reason.
By the way, there is a plugin for Firefox called HTTPS Everywhere, which will attempt to switch to HTTPS whenever possible for many sites. Wikipedia is among the supported sites. https://www.eff.org/https-everywhere The author of that plugin reached out to the foundation some months ago complaining that upload.wikimedia.org and commons.wikimedia.org had no HTTPS equivalents. I honestly don't know all of the security implications there -- upload.wikimedia.org seems okay (from a login hijacking perspective), since we never transmit any login credentials there, but we do with commons.wikimedia.org, and there's no HTTPS equivalent. On 10/25/10 10:26 AM, Marco Schuster wrote: > On Mon, Oct 25, 2010 at 7:15 PM, Hay (Husky)<hus...@gmail.com> wrote: >> Has anyone seen this? >> >> http://codebutler.com/firesheep >> >> A new Firefox plugin that makes it trivially easy to hijack cookies >> from a website that's using HTTP for login over an unencrypted >> wireless network. Wikipedia isn't in the standard installation as a >> site (lots of other sites, such as Facebook, Twitter, etc. are). We >> are using HTTP login by default, so i guess we're vulnerable as well >> (please say so if we're using some other kind of defensive mechanism >> i'm not aware of). Might it be a good idea to se HTTPS as the standard >> login? Gmail has been doing this since april this year. > Firesheep works by snooping cookies, not login processes, and it's > even without software like this incredibly easy to own someone. All it > needs to own a Wikipedia admin or user is being in the same network as > him. > The admin in question doesn't even have to visit Wikipedia directly, > there are enough pages hotlinking to upload.wikimedia.org, which > should cause the browser to transmit session data. > > If you're in need of using secure login, then you can use the secure > webserver, but in the past it had some load issues. > > Marco -- Neil Kandalgaonkar (| <ne...@wikimedia.org> _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l