Re: [Wikitech-l] MediaWiki's Login Security

Sat, 24 Aug 2013 09:51:37 -0700

Le Sat, 24 Aug 2013 00:45:05 +0200, Tyler Romeo <tylerro...@gmail.com> a écrit:
Unfortunately it's very difficult to do this. On our login forms you enter 
your username and password simultaneously, which means the server can't
possibly know if the user has to be using HTTPS until they've already
submitted their password, thus defeating the purpose. That's why
$wgSecureLogin is made to *always* put logins over HTTPS, no matter what,
and then direct the user to the appropriate protocol afterwards.



An other solution is the use of one-time passwords [1] for high-security  
or https-unfriendly users (e.g. logging in) or actions (e.g. checkuser  
action). Such one-time passwords can be generated entirely on the client  
side (e.g. a program) or on an external device (e.g. SecurID [2]). This  
transfers the problem "unsecure password" to a problem "protection of the  
password generator" (e.g. with an offline password) and introduces the key  
distribution problem (e.g. the physical device).



If used on HTTP the server response must be encrypted and processed by the  
client with JavaScript; there exists such JavaScript cryptographic  
libraries [3][4] (I didn’t test them).



Le Sat, 24 Aug 2013 00:13:03 +0200, Tyler Romeo <tylerro...@gmail.com> a  
écrit:

There is no technical solution, as has been discussed previously. The  
China
firewall blocks all HTTPS connections. There is no legal method of  
getting

around this. The only solution that would preserve both accessibility and
security would be if Wikipedia implemented its own application level TLS
protocol, which would be an absurd undertaking, and would probably just
result in the Chinese government blocking Wikipedia completely anyway.



Just for the sake of documention there exists a JavaScript TLS library [5]  
(I didn’t test it). This could also be used for high-security or  
https-unfriendly users or actions.



Anyway I guess that if any encryption (HTTPS, JavaScript TLS, etc.) is  
used on the whole encyclopedia the Chinese government will also likely  
block also the HTTP version because it could no more filter it, just like  
the HTTPS now.


[1] https://en.wikipedia.org/wiki/One-time_password
[2] https://en.wikipedia.org/wiki/SecurID
[3] http://code.google.com/p/crypto-js/
[4] http://crypto.stanford.edu/sjcl/
[5] http://digitalbazaar.com/2010/07/20/javascript-tls-1/

~ Seb35

_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

























					Reply via email to