Sooo... we're on the way to HTTPS... what's next?
YubiKey/Google Authenticator/etc... 2-factor auth? Or signed client side
user certificates (<keygen>, etc...)?
--
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]
On Wed, 04 Apr 2012 04:31:02 -0700, Petr Bena <benap...@gmail.com> wrote:
Ok, your reply makes a lot of sense. However problem is that how users
get more "hats" they are usually more afraid of loosing them :-) and
would probably like to have an option to protect from attackers (I
don't really know but I hope that people with some extra flags are
trying to have a secure password at least). The account is getting
more valuable and for example account of some stewards might be a good
target for hackers. The question is how these people can defend
themselves when the philosophy is "we don't need strong security
because user accounts aren't valuable / can't do much damange to site"
- when their account is compromised, they will surely have the flags
revoked permanently, that's likely not what they want. So at some
point, having more security measures which could be opt-in for people
who do care about their account, in opposite of people whom account
isn't interesting for hackers would make some point too. Given that
there are thousands of sysops on big projects, I guess they would
welcome to have this feature. (Not that I care, personally, I was just
interested in implementing that to mediawiki)
On Wed, Apr 4, 2012 at 11:48 AM, Thomas Morton
<morton.tho...@googlemail.com> wrote:
The current process needs to be done by hand, which isn't just
annoying, but also not fail safe, some accounts might be overlooked,
etc. Bureaucrats can mislick or forget.
Certainly automatic de-sysoping after a certain inactivity would be
useful;
an extension that does the notifications and ultimately the de-sysoping
would be useful to automate the community approved process, don't get me
wrong on that front, I like the idea!
The email account is likely
much more safe than wikimedia account,
Not a good premise to take; email accounts are high value targets (as
opposed to a Wikipedia account, which has relatively low general value).
So although they are harder to crack (to a point) they are also more
worthwhile targets.
So an email account is a significant risk.
And an account without an email address added could be argued to be
*more*secure.
the google for example offers a
lot of security measures we don't, because they don't follow "hacking
user wouldn't do much damage" philosophy.
It's largely security theatre; except the two factor authentication
(which
is actually useful). Our accounts simple aren't that valuable, which is
why
actual security of that form isn't really a good option. What you
proposed
is only really a stopgap.
And I guess many other
providers do the same. Hacking to two accounts would be much harder
than hacking one, given to that once the first account is hacked, the
user would be immediately notified in email (hacker would have very
limited time to hack to email box as well).
Realistically, and in my experience, this is not the case. You're
relying
on the user to respond, or being in a position to respond - which is the
critical failing of the proposal.
When we do pen tests often we will make notifications of some sort
appear
in front of users to see how they respond to them - and often the
response
is confusion, not concern. Remember; the large part of the WM community
is *
not* technical.
Tom
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
