To really fix the problem we would have to go HTTPS by default. I don't
know what that means to our resource usage, as well as how it affects
people who cannot use HTTPS for whatever reason.
By the way, there is a plugin for Firefox called HTTPS Everywhere, which
will attempt to switch to HTTPS whenever possible for many sites.
Wikipedia is among the supported sites.
https://www.eff.org/https-everywhere
The author of that plugin reached out to the foundation some months ago
complaining that upload.wikimedia.org and commons.wikimedia.org had no
HTTPS equivalents. I honestly don't know all of the security
implications there -- upload.wikimedia.org seems okay (from a login
hijacking perspective), since we never transmit any login credentials
there, but we do with commons.wikimedia.org, and there's no HTTPS
equivalent.
On 10/25/10 10:26 AM, Marco Schuster wrote:
> On Mon, Oct 25, 2010 at 7:15 PM, Hay (Husky)<hus...@gmail.com> wrote:
>> Has anyone seen this?
>>
>> http://codebutler.com/firesheep
>>
>> A new Firefox plugin that makes it trivially easy to hijack cookies
>> from a website that's using HTTP for login over an unencrypted
>> wireless network. Wikipedia isn't in the standard installation as a
>> site (lots of other sites, such as Facebook, Twitter, etc. are). We
>> are using HTTP login by default, so i guess we're vulnerable as well
>> (please say so if we're using some other kind of defensive mechanism
>> i'm not aware of). Might it be a good idea to se HTTPS as the standard
>> login? Gmail has been doing this since april this year.
> Firesheep works by snooping cookies, not login processes, and it's
> even without software like this incredibly easy to own someone. All it
> needs to own a Wikipedia admin or user is being in the same network as
> him.
> The admin in question doesn't even have to visit Wikipedia directly,
> there are enough pages hotlinking to upload.wikimedia.org, which
> should cause the browser to transmit session data.
>
> If you're in need of using secure login, then you can use the secure
> webserver, but in the past it had some load issues.
>
> Marco
--
Neil Kandalgaonkar (| <ne...@wikimedia.org>
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
