Tim Starling wrote:
There's a simple, non-invasive way to
determine the IP address of an AOL client, which I've been
looking into recently: use SSL sign-on. Make the login links go to
https://secure.wikimedia.org, and
redirect them back when they're logged in. SSL requests skip the proxy cluster. We
would store the
IP address at login in the session, and then continue to use that IP address for the user
after they
return to the unsecured part of the site. And of course there are security benefits for
all users.
If that really works, couldn't we just make AOL users _edit_ over SSL?
Have http links with action=edit (or action=submit) redirect to an https
URL if fetched from an AOL proxy.
This would break talk message notification for unregistered AOL users,
but I suppose we could use a cookie for that. After all, talk pages are
public, so there's no security issue even if someone fakes the cookie.
Now, that's an *excellent* idea.
1 the SSL overhead will be low, because edits are a tiny fraction of the
overall traffic
2 If we only SSL the form submission, this limits the SSL overhead even
further.
3 AOL browsing will still be proxied, so page-view load will not increase
4 AOL _browsing_ will still be completely anonymous
5 AOL IP editors will still be as anonymous as any other IP editors
6 Dynamic IP assignment should not be any more or less of a problem than
with other ISPs
Are there any reasons why this should not work? Perhaps this could be
the solution for all non-XFF-friendly ISPs?
-- Neil