On 23 August 2013 18:13, Tyler Romeo <tylerro...@gmail.com> wrote:

> On Fri, Aug 23, 2013 at 5:33 PM, Risker <risker...@gmail.com> wrote:
>
> > As I said, Marc, there's already an offline discussion happening looking
> > for ways to effectively manage this without outright banning editors from
> > those geographical regions from serving Wikimedia communities.  A
> decision
> > to prevent users from certain countries or with certain technical
> > challenges from holding these permissions is as much a policy issue as it
> > is a security issue (it's also a cross-wiki one), so that aspect needs to
> > be considered from a broad community perspective.
> >
>
> It's statements like these that make me question whether the WMF actually
> cares about its users' privacy in the first place. There's some big talk on
> this list about "subverting the NSA" and making sure that users are secure
> within their accounts when using Wikipedia. But if you're not willing to
> actually do something about privacy, then it's just talk.
>


> It is completely unacceptable for checkusers in China to be logging in over
> an insecure connection. The Chinese government directly monitors these
> connections and can easily harvest these passwords en masse. I truly
> sympathize with Chinese Wikipedians who aspire to hold checkuser positions,
> but putting at risk the IP address information of every user on Wikipedia
> just for the sake of one person who wants to volunteer in a certain
> capacity is completely unacceptable.
>

I'm not disagreeing with you about Checkusers (wherever they're from)
needing to have secure connections when using the tools.  If a community
RFC was posted today, I would support that requirement.



>
> If a technical solution can be found that facilitates affected users being
> > able to securely use the tools, then the policy discussion would focus on
> > whether we require those editors to use the technical solution, instead
> of
> > recommending outright bans to granting advanced permissions to those
> > affected by HTTPS issues.  Solutions are already being considered and
> > examined for this; granted, the discussion is occurring off-wiki so you
> > wouldn't have been aware.
>
>
> There is no technical solution, as has been discussed previously. The China
> firewall blocks all HTTPS connections. There is no legal method of getting
> around this. The only solution that would preserve both accessibility and
> security would be if Wikipedia implemented its own application level TLS
> protocol, which would be an absurd undertaking, and would probably just
> result in the Chinese government blocking Wikipedia completely anyway.
>
> You're going to have to choose: risk everybody's privacy or deny checkuser
> opportunities to people in China.
>
>
There are other options. The question is whether or not they can be made to
work in the MediaWiki/WMF circumstances.  If you looked at the data
collected to see where HTTPS attempts were unsuccessful, you'd see that
there are editors in a lot of countries with issues (i.e., greater than 5%
failure rates), and most of them are technical issues.  Suddenly you're not
just talking about a few projects, you're talking about dozens who may have
difficulty getting CU/OS support internally.

The people in our many overlapping MediaWiki and Wikimedia communities have
come up with a lot of very creative solutions to problems that other sites
haven't figured out or don't care enough to bother with.  I have a lot of
faith that some out of the box thinking might very well resolve this
specific issue, and possibly open a gateway to solving the security issue
for even larger groups.

Risker/Anne
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Reply via email to